Security  tactics 


Clear  Choice  Test  ID  mgml 


Hot  video 


Visa,  JPMorgan  Chase  and  Experian  talk  ID  Sentrie  from  A10  Networks  offers  easy-to-use, 

about  how  they  are  adopting  more  stringent  identity-based  provisioning  tool.  PAGE  41. 

corporate  defense  mechanisms.  PAGE  10. 


Internet  video  technology  is  changing  rapidly.  Here  are  10 
things  you  need  to  consider  before  deploying  video  on  the 


Net.  PAGE  20. 
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What's  up  with  titans’  R&D 


Microsoft  counters  perception 
that  it's  content  to  let  others  lead 

BY  JOHN  FONTANA 

When  the  word  “innovation”  is  tossed  about, 
many  look  down  their  noses  at  Microsoft. 

The  look  is  not  unwarranted,  given 
critics’  charges  that  the  software  giant 
has  chased  innovation  born  from  com¬ 
petitors  such  as  Apple  and  Google.  And 
who  can  forget  Bill  Gates’  Internet  Tidal 
Wave  memo  in  1995  that  swept  Micro¬ 
soft  into  an  online  world  already  awash 
in  innovation. 

But  it’s  not  all  tales  of  late  to  the  party 

Microsoft  planted  the  seeds  of  innova¬ 
tion  15  years  ago,  when  it  established 
what  has  become  one  of  its  most  distin¬ 
guishing  features,  Microsoft  Research 
(MSR).The  laboratory  has  spawned  tech¬ 
nology  seen  today  in  products  from  Win¬ 
dows  Vista  to  Exchange  Server  to  Xbox  360. 

MSR  has  grown  from  an  idea  to  more  than  700  re¬ 
searchers  working  out  of  five  labs  around  the  globe 
with  a  budget  of  more  than  $250  million.  MSR 

See  Microsoft,  page  12 


IBM  adding  structure  to  services 
like  fraud  mgmt.VolP,  security 

BY  ANN  BEDNARZ 

Unlike  Microsoft,  IBM  has  been  considered  an  in¬ 
dustry  innovator.  And  right  now  services  research  is 
a  hot  area  for  Big  Blue,  as  the  corporate 
giant  looks  to  eke  out  greater  profitabil¬ 
ity  from  its  services  division. 

The  idea  behind  services  research  is  to 
build  a  stable  of  repeatable  industry  offer¬ 
ings  and  capabilities  using  new  and  exist¬ 
ing  IBM  technologies.  By  structuring  ser¬ 
vices  —  taking  out  some  of  the  judgment 
calls  and  reducing  the  emphasis  on  labor 
—  IBM  hopes  to  streamline  delivery 
and  at  the  same  time  improve  the  quality 
of  its  services  engagements. 

Leading  the  charge  is  Robert  Morris, 
who  in  mid-2004  gave  up  his  research  role 
at  IBM  for  a  spot  in  services.  Morris  had 
been  the  head  of  IBM’s  Almaden  Research  Center 
in  Silicon  Valley  when  he  embarked  on  a  two-year 
stint  in  Global  Services. 

Today  he’s  back  on  the  research  side  of  IBM’s 

See  IBM,  page  14 
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VoIP  leaving 
TDM  in  dust 


BY  PHIL  HOCHMUTH 

Is  VoIP  reliable?  Scalable? 
Ready  for  prime  time? 

For  the  answer,  you  need  only 
look  at  the  raft  of  ambitious  en¬ 
terprise  VoIP  projects  —  with  mul¬ 
tiple  thousands  of  phones  —  an¬ 
nounced  in  recent  months,  or 
the  latest  telephony  market  re¬ 
search,  which  shows  VoIP  out¬ 
selling  digital  PBX  lines  for  the 
first  time. 

“IP  telephony  has  gone  main¬ 
stream,”  says  Brian  Riggs,  a  VoIP 
analyst  at  Current  Analysis. 
“There’s  no  doubt  about  it.” 

Planned  and  ongoing  VoIP 
rollouts  at  Bank  of  America, The 
New  York  Times  Co.,  Amazon, 
com,  Chicago  public  schools. 
University  of  Pittsburgh  Medical 


Center  and  dozens  of  other  orga¬ 
nizations  all  point  to  the  accep¬ 
tance  of  VoIP  as  the  new  stan¬ 
dard  for  business  telephone  and 
messaging  systems,  analysts  and 
users  say 

See  VoIP,  page  16 


180,000  W  phones 

Bank  of 
America’s 
Craig  Hinkley 

shares  lessons 
learned  in  our 
online-only 
interview 
with  him. 

www.nwdocfinder.com/6455 
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►  BigFix  wins  test  of  six 
patch  management  and 
remediation  products. 
Page  35. 
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Nobody  can  manage  your  VoIP 
Performance  in  a  converged 


environment  like  Fluke  Networks 


www.flukenetworks.com/VolPperformance 


IEEE  pursuing  100G  Ethernet 


High  Speed  Study  Group 
skipping  right  past  40G 

BY  PHIL  HOCHMUTH 

The  IEEE’s  High  Speed  Study  Group  (HSSG),  asked 
to  explore  what  Ethernet’s  next  speed  might  be, 
has  voted  to  pursue  100G  Ethernet  over  other  high¬ 
speed  considerations, such  as  40G  Ethernet.The  IEEE 
will  work  to  standardize  100G  Ethernet  over  dis¬ 
tances  as  far  as  6  miles  over  single-mode  fiber¬ 
optic  cabling  and  328  feet  over  multimode  fiber. 

The  need  for  100G  Ethernet  is  growing  as  IP  video 
and  transaction-intensive  Web  2.0  applications  are 
exploding  across  the  Internet.  Companies  such  as 
YouTube  regularly  add  lOGbps  service  pipes  to  meet 
growing  demand,  and  carriers  will  need  a  better  way 
to  aggregate  such  links,  industry  watchers  say 

See  100G  Ethernet,  page  52 


Road  to  10  OG  Ethernet 


1999:  IEEE  802.3ab  standard  for  Gigabit  Ethernet 
over  copper  is  approved. 

JUNE  2006:  IEEE  802.3an  standard  for  10  Gigabit 
Ethernet  over  twisted-pair  copper  is  approved. 

JULY  2006:  IEEE  High  Speed  Study  Group  . 
is  formed  to  examine  next  versions  of  / 
Ethernet,  including  40G  and  100G.  f  U 

2007:  IEEE  expects  to  form  a  100G  [  ■ 

Ethernet  Task  Force.  VT 

V 

2009/2010:  IEEE  anticipates  the  100G  V 
Ethernet  standard  will  be  complete.  '•* ’ ' 
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Remote  access  is  no  longer  a  perk  for  the  few,  but  a  necessity  for  everyone. 
Microsoft®  Exchange  Server  2007  unifies  e-mail,  v-mail,  and  calendars  into  a  single 
system  with  advanced  security  that  connects  everyone  to  the  information  they  need,  ;«;v.  _ 
anywhere  they  go.  See  how  companies  are  giving  more  people  more  access  at 

microsoft.com/exchange 
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information  iives  at  Blue  Rhino,  a  midsize  company  that  had  a  king-size  problem.  As  the* 

' 

every  year.  But  their  IT  budget  wasn’t.  They  chose  an  EMC'  solution  that  gave  them  .less  downtime,  faste 
hardware  and  software,  delivered  a  high  degree  of  flexibility  at  an  affordable  price,  and  allowed  them  ti 

profile  at  www  EMC.com/BlueRhino.  To  see  >  ’ 
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EMC2,  EMC,  ana  where  fatocraatJon  .ivo1  .vs  registered  trademarks  ol  EMC  Corporation,  All  other  trademarks  used  herein  are  the  property  of  their  rer 
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last  gasp? 

30  Opinion:  On  technology:  A  peek 
inside  Sun  Labs  research. 
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14  Johna  Till  Johnson:  More  tele 
com  contract  tips. 

31  Opinion:  Daniel  Briere: 

Unlocking  ruling  rings  in  more 
cellular  chaos. 


COOLTOOLS 

Samsung’s  YP-K5  digital  music  player,  left,  has  built-in  speakers  and  30 
hours  of  battery  life.  Gateway’s  M685-E,  right,  is  a  smaller  notebook  with 
enough  power  and  memory  for  users  to  multitask  applications.  Page  26. 


Management 
and  Careers 

44  Massachusetts  CIO  resigns  in 
protest:  Louis  Gutierrez,  left,  reflects 
on  a  painful  second  tour  as  head  of  the 
state's  IT  department. 

"These  were  among  the 
longest  eight  months  of  my 
dog-life.” 


Tech  Update 

23  Overlay  network  for  security 
policies. 

23  Ask  Dr.  Internet. 

26  Mark  Gibbs:  Tableau:  PivotTable 
on  steroids. 

26  Keith  Shaw:  Cool  tools,  gizmos 
and  other  neat  stuff, 
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Clear  Choice  Test: 

ID  Sentrie  from  A10  Networks  offers  an  easy-to- 
use,  identity-based  provisioning  tool.  Page  41. 


Clear  Choice  Test: 

Patch  management  products  are  adding  remediation  functionality.  We  evaluated  six  prod¬ 
ucts  and  determined  that  BigFix  Enterprise  Suite  stood  out  for  its  ease  of  use  and  cus¬ 
tomization  capabilities.  Page  35. 


Newsbits 


HP  settles  civil  lawsuit  over  spying 

■  HP  has  agreed  to  a  $14.5  million  settlement  in  the 
California  civil  lawsuit  related  to  the  company’s  spying  scan¬ 
dal.  Under  terms  of  the  settlement  with  the  California  attor¬ 


ney  general,  HP  will  pay  $13.5  million  to  create  a  “Privacy 
and  Piracy  Fund”  for  law  enforcement  activities  related  to 
privacy  and  intellectual  property  rights  operated  in  the  state 
Attorney  General’s  Office.The  company  also  will  pay 
$650,000  in  civil  penalties  and  $350,000  to  cover  investiga¬ 
tion  expenses,  California  Attorney  General  Bill  Lockyer 
announced.  HP  executives  and  private  investigators  retained 
by  the  company  still  face  criminal  charges  in  the  scandal, 
which  involves  the  alleged  use  of  “pretexting,”  or  pretending 
to  be  someone  to  obtain  their  personal  phone  records.The 
charges  include  using  false  or  fraudulent  pretenses  to  obtain 
confidential  information  from  a  public  utility,  wrongful  use 


of  computer  data,  identity  theft  and  conspiracy 


Hackers  work  around 
Vista's  activation  feature 

■  Hackers  are  distributing  a  file  that 
they  say  lets  users  of  the  corporate  ver¬ 
sion  of  Microsoft’s  Windows  Vista  oper¬ 
ating  system  get  around  the  software’s 
antipiracy  mechanisms.  Windows  Vista 
must  be  “activated,”  or  authorized  by 
Microsoft,  before  it  will  work  on  a  par¬ 
ticular  machine. To  simplify  the  task  of 
activating  many  copies  of  Vista, 
Microsoft  offers  corporate  users  spe¬ 
cial  tools,  among  them  Key  Manage¬ 
ment  Service,  which  lets  a  company 
run  a  Microsoft-supplied  authorization 
server  on  its  own  network  and  activate 
Vista  without  contacting  Microsoft  for 
each  copy.  The  software  Microsoft. 


Windows.Vista.Local.Activation.Server- 
MelindaGates  lets  users  spoof  that  KMS 
process,  letting  them  activate  copies  of 
the  enterprise  editions  of  Vista,  its  cre¬ 
ators  say.  Microsoft  did  not  respond  to 
requests  for  comment  on  the  hack. 

Microsoft  readies 
security  fixes 

■  Microsoft  plans  to  patch  its  Windows 
and  Visual  Studio  products  this  week, 
but  it  does  not  have  a  fix  in  the  works 
for  a  widely  publicized  flaw  in  Word, 
which  hackers  reportedly  were  exploit¬ 
ing  last  week  in  targeted  attacks.  The 
company’s  security  team  is  readying 
five  sets  of  patches  for  Windows  and 
See  News  Briefs,  page  6 
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continued  from  page  5 

will  issue  a  single  critical  security  update  for  Visual 
Studio,  Microsoft  said.  Microsoft  rates  the  most  seri¬ 
ous  of  its  Windows  updates  as  critical,  meaning  an 
attacker  could  exploit  the  underlying  flaw  to  run 
malware  on  a  victim’s  PC  with  no  user  action. These 
security  patches  are  usually  released  on  the  second 
Tuesday  of  each  month.  The  company  strives  to 
publish  a  small  number  of  updates  in  December, 
because  IT  operations  are  often  short-staffed  during 
the  holiday  season. 

Benchmark  compares  storage  gear 

■  The  Storage  Performance  Council  last  week 
announced  a  new  benchmark  for  testing  storage 
systems  that  lets  users,  resellers  and  integrators  com¬ 
pare  the  performance  of  competing  devices.  The 
SPC  Benchmark-2  (SPC-2)  was  conceived  for  testing 
direct-attached,  network-attached  and  storage-area 
network  systems,  as  well  as  storage  virtualization 
technologies,  host  bus  adapters  and  volume  man¬ 
agers.  The  benchmark  consists  of  three  workloads 
designed  to  demonstrate  the  performance  of  a  stor¬ 
age  configuration  during  the  execution  of  business- 
critical  applications  that  require  large-scale,  sequen¬ 
tial  movement  of  data.  The  three  workloads  are: 
sequential  processing  of  one  or  more  large  files 
used  in  scientific  computing  or  large-scale  financial 
processing;  large  database  queries,  such  as  those 
performed  for  data  mining  or  business  intelligence; 
and  video  on  demand,  such  as  retrieving  data  from 
a  digital  film  library. 

Telecom  budgets  a  wasteland 

■  Businesses  that  don’t  have  full  control  over  their 
telecom  expenses  are  losing  millions  of  dollars  to 
unnecessary  telecom  charges  annually  according  to 
a  report  from  Aberdeen  Group.  One  source  of  extra 
expenses  is  late  fees.  Based  on  survey  results,  65%  of 
businesses  are  getting  hit  with  late-payment  fees  from 
their  service  providers.  On  average,  respondents 
incurred  2.9%  late-payment  fees,  which  could  be  sig¬ 
nificant  if  a  company’s  monthly  bills  run  in  the  mil¬ 
lions  of  dollars  and  are  several  months  late,  says  Joe 
Basili,  research  director  at  Aberdeen  and  author  of 
“The  Cost  of  Not  Acting:  The  Total  Telecom  Cost 
Management  Benchmark  Report.”  Telecom  expense- 
management  vendors  MDSL,  ProfitLine,  Paetec  Com¬ 
munications  and  Tangoe  sponsored  the  report,  avail¬ 
able  free  through  Jan.  27.  In  the  report,  Aberdeen’s 
Basili  describes  ways  to  save  money  such  as  using  a 
reverse  auction  to  secure  new  telecom  services. 

Unlocking  your  phone 

■  The  U.S.  Copyright  Office  has  issued  rules  that  say 
carriers,  for  at  least  the  next  three  years,  will  no 
longer  be  allowed  to  “lock”  your  phone  to  prevent 
the  device  from  being  used  on  another  carrier’s  net¬ 
work.  Wireless  service  providers  reportedly  have 


used  these  software  locks  to  keep  customers,  who 
were  under  contract,  on  their  network  in  an  effort  to 
recoup  the  cost  of  offering  discounted  handsets  to 
new  customers.  But  in  many  cases  these  locks 
were  not  lifted  even  after  contracts 
were  fulfilled.  According  to 
other  reports,  some  service 
providers  were  more  len¬ 
ient.  T-Mobile  unlocked 
phones  for  customers  who 
were  90  days  into  their 
contract  if  the  customer 
made  such  a  request.  The 
Copyright  Office’s  ruling 
looks  to  be  a  boon  for 
consumers,  but  some  ven¬ 
dors  have  a  different  take.  Reseller  Tracfone  Wireless 
filed  a  lawsuit  to  reverse  the  decision  in  U.S.  District 
Court  in  Florida,  according  to  a  Wall  Street  Journal 
report.  Tracfone,  along  with  trade  group  CT1A 
Wireless,  filed  comments  to  the  Copyright  Office 
after  the  comment  period  closed. 
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“The  first  time  you  use  it,  it’s 
like  turning  on  a  light  in  a 
kitchen  at  night  and  catching 
the  cockroaches  running.” 

James  Christiansen,  chief  information  security  officer  at  Experian 
International,  deploying  a  data-leakage  prevention  appliance  to 
monitor  employee  e-mail,  file  transfer  and  instant  messaging. 

See  story  page  10 

Police  raid  IBM’s  Moscow  office 

■  Police  raided  IBM’s  Moscow  headquarters  last 
week,  in  addition  to  two  other  IT  suppliers  in  a  $38.18 
million  investigation  into  procurement  fraud,  govern¬ 
ment  officials  said.  IBM  spokesman  Jonathan  Batty 
confirmed  that  the  raid  had  taken  place.  He  wouldn’t 
say  whether  the  authorities  seized  documents  or 
computer  equipment.  “We’re  stating  for  the  time 
being  that  we  are  cooperating  with  the  Russian 
authorities  but  declining  to  give  any  further  comment 
now,”  Batty  said.  Russia’s  Interior  Ministry  said  the 
raids  were  part  of  an  investigation  into  computer  pur¬ 
chases  by  the  country’s  Pension  Fund.  Executives  of 
the  fund  are  accused  of  conspiring  to  buy  equipment 
from  the  companies  at  higher-than-market  prices, 
according  to  Novosti,  one  of  Russia’s  government- 
owned  news  agencies.  The  other  two  IT  companies 
raided  are  Lanit  Group, a  Russian  company  that  deals 


<  A  shiny  new  Internet2. 

Internet2,  a  consortium  of  research  and 
higher-education  bodies  working  on  ad¬ 
vanced  network  technologies  and  applica¬ 
tions,  last  week  went  live  with  the  first 
segment  of  its  next-generation  network. 
The  group's  new  network  is  designed  to 
support  10  lOGbps  Lambdas. 


NAC's  been  on  the 
pedestal  long  enough. 

Network  Access  Control  technologies  may 
be  waning  as  a  priority  for  U.S.  businesses, 
because  decision  makers  worry  that  the  technol¬ 
ogy  isn't  quite  baked  yet,  according  to  an  upcoming  study  by 
ThelnfoPro.  "People  are  taking  it  off  their  books  for  the  next  12  months 
and  waiting  for  it  to  mature,"  says  an  analyst  at  the  firm. 

If  Cisco  were  Starbucks. . .  a  Redback  spokesman 
last  week  took  some  shots  at  Cisco's  7600  edge  router  just  as  the  prod¬ 
uct  becomes  more  of  a  direct  competitor  to  Redback's  offerings:  "Single- 
service  broadband  routers  are  a  little  out-of-date  in  today's  multiservice, 
multiaccess  world.  It's  a  little  like  buying  three  computers  today,  then  ded¬ 
icating  each  PC  to  a  single  application,  such  as  Word,  PowerPoint  and 
Excel.  Put  another  way,  if  Cisco  were  Starbucks,  the  San  Jose  company 
would  figure  out  a  way  to  sell  you  three  different  coffee  machines  to  make 
you  a  single  latte." 


in  outsourcing  software  development,  and  R-Style 
Group,  a  supplier  of  computers,  peripherals  and 
office  equipment,  according  to  the  Moscow  Times. 

Watchdogs  call  MP3  site  ‘worst’ 

■  Two  consumer-protection  groups  are  asking  the 
U.S.  Federal  Trade  Commission  to  investigate  FastMP3 
Search. com.ar,  a  Web  site  that  distributes  software  that 
can  be  used  to  search  for  digital  music  on  the  Web. 
The  FastMP3Search  plug-in  disables  the  Windows  Fire¬ 
wall,  installs  adware  and  Trojan  horse  programs,  and 
generally  hobbles  a  user’s  PC,  said  John  Palfrey,  the 
Harvard  Law  School  professor  who  is  StopBadware. 
org’s  co-director. The  software  is  also  virtually  impossi¬ 
ble  to  remove  once  installed,  he  added.  StopBadware. 
org  and  the  Center  for  Democracy  and  Technology 
plan  to  file  a  formal  complaint  with  the  FTC.  “We  are 
asking  the  FTC  to  take  a  close  look  at  an  application 
that  we  consider  to  be  the  worst  of  the  bad  applica¬ 
tions  that  we’ve  seen  over  the  course  of  the  last  year,” 
Palfrey  said.  Representatives  from  FastMP3Search. 
com.ar  could  not  be  reached  immediately  for  com¬ 
ment.  The  Web  site  is  registered  to  a  company  called 
Direct  S.A.,  based  in  Buenos  Aires,  according  to  the 
Network  Information  Center  Argentina. 


“And,  if  you  move  the  joystick 
this  way,  the  center  fielder 
runs  backwards!” 


Gary  Robinson  of  Wadsworth,  Ohio,  is  this  week's  winner.  Join  us  each  Monday  for 
the  start  of  a  new  round,  www.networkworld.com/weblogs/iayer8 
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Radware  LinkProof 

•  Radware's  load  balancers  (LinkProof)  make  it  simple  and  affordable 
for  businesses  of  all  sizes  to  add  Internet  link  redundancy  and 
additional  bandwidth 

•  Add  a  second  Internet  link  of  any  size  (DSL,  T1 ,  T3,  OCx,  Ethernet,  etc.) 
without  the  use  of  complex  protocols  or  expensive  routing  equipment 

•  Utilize  all  of  your  available  bandwidth  while  guaranteeing  uninterrupted 
access  to  your  network's  critical  Web-enabled  applications 

•  Multi-gigabit  intrusion  prevention  secures  your  network  against  internal 
and  external  attacks  including  viruses,  worms  and  Trojans 

•  Call  your  CDW  account  manager  or  visit  CDW.com  for  more  details 

CDW936169 


Radware  Certainty  Support  Program 

•  Protect  your  Radware  appliance  with  Certainty 

•  Each  level  of  the  program  consists  of  four  elements 
—  phone  support,  software  updates,  hardware 
maintenance  and  onsite  support  combined  into  a 
single  support  package 

•  Call  your  CDW  account  manager  or  visit  CDW.com 
for  more  details 


CDW  1004020 


The  Networking  Solutions  You  Need  When  You  Need  Them. 

With  the  benefits  of  today's  improved  technology,  there's  never  been  a  better  time  to  upgrade  your 
network.  At  CDW,  your  account  manager  has  all  the  technology  knowledge  you  need  to  help  you 
become  more  efficient  in  the  office  And  we  can  deliver  your  technology  to  you  fast.  So  call  CDW 
today  and  get  the  technology  you  need  to  make  the  most  of  your  day. 


The  Right  Technology.  Right  A 

CDW.com  •  800.399.4CDW 


PEERSAY 

From  our  online  forums 


■  Research  at  Microsoft. 

Our  story  on  Microsoft 
Research  got  people  talking. 
One  user  started  it  off  by  list¬ 
ing  every  Microsoft  failure  over 
the  past  20  years:  “Their 
design  is  klunky  —  the  Zune  is 
a  perfect  example,  and  the 
software  interfaces  I  have 
worked  with  are  just  as  half- 
baked."  But  Sleepless  Geek 
says  for  every  problem  in  the 
consumer  arena,  Microsoft 
has  developed  an  innovation  in 
the  programming  sphere: 
“Programming  languages  such 
as  Visual  Basic,  the  brother  of 
Basic,  Bill  Gates'  one  true 
piece  of  original  software.  C# 
is  another.  Also  much  of  the 
back-office  suites  can  be 
attributed  to  them."  Read  all 
the  comments,  jump  in  with 
your  own:  www.nwdocfind 
er.com/6397 

■  Phishy  domain  names. 

Paul  McNamara  wonders  why 
domain  registrars  can't  simply 
refuse  to  register  domain 
names  that  are  obviously  going 
to  be  used  for  phishing.  Noc- 
Master  agrees:  “I  think  is 
shows  very  poor  business 
ethics  to  allow  such  domains 
to  be  registered.  Especially 
when  it's  that  obvious,  i  mean 
if  you  don't  have  the  common 
sense  to  see  what  a  URL  like 
that  is  going  to  be  used  for 
then  you  shouldn't  be  in  the 
business."  www.nwdocfind 
er.com/6396 

■  Application  services  on 
the  router.  One  user  says  it 
makes  perfect  sense  for  Cisco 
to  integrate  its  Wide  Area 
Application  Services  with  its 
routers:  “Beyond  the  complex¬ 
ities  of  QoS  and  converged 
technologies  like  voice,  there 

is  ease  of  use  and  redundancy 
issues  to  deal  with  —  these 
are  much  more  easily 
addressed  within  the  router 
platform ."  www.nwdocfind 
er.com/6395 

3  Too  early  for  NAC?  One 

user  thinks  so:  “The  NAC 
technologies  are  not  yet  fully 
baked.  There  are  a  few  early 
adopters,  but  they  are  experi¬ 
encing  a  very  bumpy  ride." 
What  do  you  think? 
www.nwdocfinder.com/6394 
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BL060SPHERE 

Where’s  the  justice? 

Plus:  Wrong  search  terms,  raining  meteoroids,  violated  copyrights 


Where’s  the  justice?  Layer  8  bristles  over  the 
news  that  a  Seattle  BlackBerry  addict  caused  a 
three-car,  one-bus  pileup  by  using  his  handheld 
device  while  driving.  Turns  out  the  guy  got  a 
measly  $153  fine.  Meanwhile,  Layer  8  points  out,  a 
woman  in  Michigan  got  30  days  in  jail  for  violating 
a  noise  ordinance  with  her  cell  phone,  www.nw 
docfinder.com/6446 

Duck!  Buzzblog  this  week  turns  to  the  heavens. 
Paul  McNamara  writes  that  “NASA  scientists  have 
determined  that  your  chances  of  being  hit  upside 
the  head  by  a  meteoroid  are  four  times  greater 
than  previously  believed  —  provided  you’re 
standing  on  the  moon.” Apparently  NASAs  models 
of  meteor  activity  were  based  on  observations  of 
meteors  in  Earth  s  skies,  and  the  data  didn’t  trans¬ 
late  well  www.nwdocfinder.com/6448 

He  fits  the  profile.  Mark  Gibbs  recently 
Googled  “binary  explosives,”  which  probably 


wouldn’t  have  raised  any  electronic  eyebrows 
six  years  ago.  But  in  the  post-9/11  world, 
Googling  that  phrase  brings  up  a  warning  about 
a  Web  site  certificate  issued  by  the  Department 
of  Defense.  Writes  Gibbs:“It  looks  like  the  Depart¬ 
ment  of  Defense  with  Googles  help  is  tracking 
me,  because  I  used  a  suspicious  search  term.  It 
also  looks  like  either  the  DoD  aren’t  really  good 
at  stealth  or  they  want  me  to  know  that  they  are 
watching.  Definitely  lame  either  way”  www.nw 
docfinder.com/6447 

Microsoft  on  the  wrong  end  of  copyright 
tussle.  If  someone  violated  Microsoft’s  copy¬ 
right,  you  might  expect  the  company  to  take 
drastic  action.  What  would  happen  if  Microsoft 
violated  someone  else’s  copyright?  Microsoft 
found  out  when  it  embedded  a  Flickr  version  of 
someone’s  images.  As  Adam  Gaffin  explains  in 
Compendium,  the  result  was,  um,  not  pretty 
www.nwdocfinder.com/6449 


Hot  Seat  interviews,  the  coolest  tools,  and  more 


Hot  Seat: 

Slashing 
storage 
costs: 

How  can 
you  replace  30  physical 
servers  with  one  storage 
appliance  without  affecting 
your  applications?  Bob 
Miller,  CEO  of  OnStor, 
explains  how. 
www.nwdocfinder.com/6393 


Cool  Tools: 

Enterprise 
phone  nir¬ 
vana:  Cool 
Tools  West 
Coast  correspondent  Joel 
Snyder  joins  Keith  Shaw  to 
discuss  his  favorite  and 
not-so-favorite  smart 
phones. 

www.nwdocfinder.com/6392 


Twisted  Parr 
Podcasts: 

Quackabit 
Ethernet 
is  really 

fast:  Keith  lobbies  to  be  the 
official  podcast  of  the  new 
NASA  Moon  base  and 
Jason  discusses  the  IEEE 
decision  to  approve  100 
Gigabit  Ethernet. 
www.nwdocfinder.com/6391 


m  the 

HELPDESK  Find  the  answers  to  these  prickly  problems  online. 

This  week:  Applications  for  watching  Internet  usage. 


Ron  Nutter  helps  a  user  pick  the  best  app  for 
watching  Internet  use. 

Help  desk  response: 
www.nwdocfinder.com/6390 


M.E.  Kabay  explains  why  you  need  to  track  not 
just  hackers  but  also  your  security  vendors. 

Help  desk  response: 
www.nwdocfinder.com/6388 


BEST  OF  NW’S 

NEWSLETTERS 

Disposable 
e-mail 
addresses 
foil  plans 

Plus:  Syncing  mobile 
use,  security 

Web  applications:  Want  to 
download  something,  and  the 
site  is  asking  for  your  e-mail 
address,  but  you  don’t  want  to 
give  it  and  be  subject  to  their 
spam,  er . . .  marketing  messages? 
Columnist  Mark  Gibbs  suggests 
some  products  that  offer  real 
but  temporary  e-mail  addresses 
to  get  you  through  the  verifica¬ 
tion  process. 

www.nwdocfinder.com/6424 

Wireless  in  the  enterprise: 

Mobile  use  is  significantly  up, 
according  to  Network  Chem¬ 
istry’s  latest  Wireless  Threat  In¬ 
dex  —  but  correspondingly  so 
too  are  the  number  of  incidents 
of  mobile  users  engaging  in 
risky  behavior.  Newsletter  author 
Joanie  Wexler  reports. 
www.nwdocfinder.com/6425 

Network  optimization:  The 

slew  of  news  around  accelera¬ 
tion,  security  and  optimization 
technologies  in  2006  could  make 
any  network  manager’s  head 
spin.  How  do  you  incorporate  all 
the  tools  you  need  to  deliver 
applications  securely  and  quick¬ 
ly  without  overhauling  your  net¬ 
work?  Senior  Editor  Denise 
Dubie  has  some  answers. 
www.nwdocfinder.com/6426 

Unified  communications: 

Microsoft  Exchange  is  the  most 
widely  used  corporate  messag¬ 
ing  system  in  North  America, 
meaning  that  most  organizations 
have  some  level  of  concern 
about  how  they  manage  .PST 
files.  Analyst  Michael  Osterman 
discusses  how  to  manage  these 
.PST  files  effectively. 
www.nwdocfinder.com/6427 


Robin  Gareiss  looks  at  simplifying  your 
branch-office  infrastructure. 

Help  desk  response: 
www.nwdocfinder.com/6389 


Mike  Karp  examines  SATA  and  SAS  for  small- 
to-midsize  business  storage. 

Help  desk  response: 
www.nwdocfinder.com/6387 


Free  e-mail  newsletters 

Sign  up  for  any  of  more  than  40 
newsletters  on  key  network  topics. 

www.nwdocfinder.com/1 002 


»  Employees  and  guests  bringing  in  more  than  business?  Protect  your  network  -  and  give  appropriate  access  - 
all  with  Juniper’s  Unified  Access  Control  v2.0. 

You  don’t  have  to  replace  your  switching  infrastructure  or  be  locked  into  one  vendor  to  get  the  security  you  need. 
Juniper’s  UAC  2.0  supports  open  standards  and  provides  enforcement  using  any  vendor’s  802.1X-enabled 
switches  and  access  points,  your  existing  Juniper  firewalls,  or  both.  And  a  single  UAC  deployment  gives  you 
security  for  guests,  contractors  and  employees  -  cross  platform.  Juniper  makes  any  network  more  secure: 

www.juniper.net/UAC 


Juniper 

•  aor 


£5 


Net 


1.888. JUNIPER 
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Financial  firms  share  security  plans 

Visa,  JPMorgan  Chase  and  Experian  among  companies  adopting  more  stringent  protection 


BY  ELLEN  MESSMER 

NEW  YORK  —  Some  of  the  top 
players  in  the  financial  services 
arena  —  such  as  Visa,  JPMorgan 
Chase  and  Experian  International 
—  are  expanding  their  tactics  for 
preventing  customer  data  loss. 

IT  security  managers  convening 
at  two  interrelated  conferences  in 
New  York  last  week  said  their 
firms  are  adopting  both  new  net¬ 
work  defenses  and  organizational 
structures  to  lower  risk  of  a  data 
breach.  Some  say  the  survival  of 
their  businesses  may  be  at  stake, 
because  news  reports  about  inci¬ 
dents  are  leading  to  customer  loss 
and  million-dollar  lawsuits.  Cali¬ 
fornia  was  the  first  state  to  require 
public  disclosure  of  a  data 
breach;  about  30  other  states  and 
localities  now  that  do  as  well. 

“When  an  event  becomes  pub¬ 
lic,  the  stock  price  tilts,  there’s 
brand  damage  and  finally  de¬ 
creased  revenues,”  said  James 
Christiansen,  chief  information 
security  officer  at  Experian  Inter¬ 
national,  speaking  at  the  Summit 
on  Preventing  Data  Leakage. 

Experian,  a  global  company 
with  more  than  $3.1  billion  in 
annual  sales  from  consumer 
credit  reports  and  other  busi¬ 
ness  data  and  analytics,  cited  its 
rival,  ChoicePoint,  as  the  indus¬ 
try’s  bad  boy  poster  child. 
ChoicePoint  last  year  acknowl¬ 
edged  a  loss  of  145,000  cus¬ 
tomer  records  and  is  still  fight¬ 
ing  lawsuits.  In  the  hope  of 
avoiding  a  similar  fate,  Christ¬ 
iansen  acknowledged  Experian 
has  ratcheted  up  its  defenses  in 
several  ways. 

For  one  thing,  “We  just  won’t 
accept  data  that  isn’t  encrypted 
anymore,”  Christiansen  said.  In 
addition  to  encouraging  employ¬ 
ees  to  report  any  suspicious 
events,  about  eight  months  ago 
Experian  also  started  using  a  data- 
leak  prevention  appliance  to 
monitor  employee  e-mail,  file 
transfer  and  instant  messaging. 

“The  first  time  you  use  it,  itk  like 
turning  on  a  light  in  a  kitchen  at 
night  and  catching  the  cock¬ 
roaches  running,”  Christiansen 
said.  Experian  doesn’t  block  sus¬ 
picious  network  behavior  but 
does  investigate  data  transfers  that 
may  violate  corporate  policy,  such 
as  failure  to  use  encryption.  Most 
of  the  time  these  incidents  are 


Security  and  upper 

managemer 

it 

How  often  business 
managers  hear  from  the 
security  manager  about... 

Security  projects: 

Never - , 

10% 

Less  than 

At  least  j 

annually  . 

annually  ’ 

28% 

60% 

Security  incidents: 

Never - , 

11% 

Less  than 

At  least 

annually 

annually 

40% 

48% 

Compliance: 

Never  — — . 

12% 

Less  than 

At  least 

annually  ; 

annually 

30% 

55% 

Totals  do  no  equal  100%  due  to  rounding. 

SOURCE:  ERNST  &  YOUNG  SURVEY  OF 
ABOUT  1,200  CHIEF  INFORMATION 
SECURITY  OFFICERS. 

mistakes  by  employees  that 
require  training  re-enforcement. 

According  to  Christiansen,  cy¬ 
bercrime  that  targets  sensitive  cus¬ 
tomer  financial  data  is  lucrative 
and  well  organized,  something 
that  hit  home  by  working  with  the 
U.S.  Secret  Service  on  what’s 
called  the  Project  Harvest  re¬ 
search  online  with  others  in  the 
industry 

He  said  he  sees  that  thieves 
around  the  world  are  selling 
software  financial-theft  Trojan 
programs  for  $1,000  to  $5,000,  a 
credit  card  with  PIN  for  $500, 
and  change  of  billing  data  for 
$80  to  $300,  or  $7  to  $25,  depend¬ 
ing  on  volume  for  stolen  credit 
card  numbers  with  security 
codes.  “It  costs  $7  for  a  PayPal 
account  logon  and  password,” 
he  added. 

With  the  stakes  ever  higher,  card- 
services  giant  Visa  International 


has  begun  an  ambitious  retooling 
of  its  network  authentication 
process  to  combine  physical  and 
logical  security  information  to 
deter  potential  network  misuse. 

The  project  involves  combining 
information  taken  from  Visa’s 
physical-security  badge  readers 
worn  by  employees  and  cross¬ 
checking  real-time  physical  loca¬ 
tion  with  network  authentication 
information  to  make  sure  there’s 
an  acceptable  match. 

“We’re  taking  the  next  step,”  said 
Phil  Maier,  vice  president  of  infor¬ 
mation  security  in  the  emerging 
technology  and  network  group  at 
Visa  USAs  technical  arm,  Inovant, 
who  spoke  at  the  FinSec  confer- 
ence.“The  badge  ID  has  to  have  a 
link  to  the  domain  ID  [on  the 
computer] .” 

If  the  physical  and  logical 
thresholds  don’t  match  up  —  for 
example,  activity  is  occurring  at 
a  restricted  computer  when  the 
badge  reading  shows  the 
employee  is  not  physically  there, 
or  an  employee  is  viewed  as 
physically  present  but  an  authen¬ 
tication  process  is  occurring 
remotely  —  the  session  should 
not  be  allowed  because  it  raises 
security  questions. 

To  do  this,  Inovant  is  working 
on  a  home-grown  coding  pro¬ 
ject  that  has  the  company’s 
badge-reader  system  linked 
into  the  corporation  security 
information  management  sys¬ 
tem  from  Intellitactics. 

To  have  this  and  probably  any 
security  monitoring  work  correct¬ 
ly  it’s  necessary  to  time-synchro- 
nize  all  computers  precisely  using 
the  Network  Time  Protocol  based 
on  the  government-supported 
Atomic  Clock,  Maier  added. 

The  various  data-breach  disclo¬ 
sure  laws  that  require  the  public 
be  informed  about  incidents  is 
driving  change  not  just  in  tech¬ 
nology  implementation  but  in 
how  organizations  work  to  com¬ 
municate  between  IT  depart¬ 
ments  and  upper  management. 

Anish  Bhimani,  managing  di¬ 
rector  at  JPMorgan  Chase,  who 
spoke  at  FinSec,  said  the  desire 
to  avoid  becoming  another  data- 
loss  news  story  has  prompted 
changes,  including  adding  lap¬ 
top  encryption  and  adopting 
tapeless  data  centers  for  the 
long  term. 


“We  used  to  think  more  backups 
is  better  but  that’s  not  exactly  the 
case,”  Bhimani  said.  Another 
process  change  involves  automat¬ 
ed  scanning  for  40,000  servers  for 
penetration  testing  instead  of  hav¬ 
ing  people  do  it  manually 

A  chief  concern  involves  mak¬ 
ing  sure  JPMorgan  Chase’s  3,500 
third-party  providers  also  follow 
specific  security  practices,  and 
Bhimani  noted  it’s  difficult  to 
define  everything  that  can  go 
wrong. 

One  of  JPMorgans  “outside  ser¬ 
vice  providers,”  as  Bhimani  ref- 
ered  to  it,  recently  misplaced 
some  data  that  was  recovered. “We 
looked  at  everything  except  what 
went  wrong,”  Bhimani  said. 

One  major  cultural  change  at 
JPMorgan  Chase,  a  firm  with 
170,000  employees,  has  been  to 
“focus  on  security  metrics  [by] 
focusing  on  the  results,  not  activi¬ 
ty’ he  noted. 

Instead  of  issuing  data-filled 
reports  to  management,  the  focus 
is  being  refined  to  target  concrete 
results.  Weekly  meetings  are  now 
required  where  IT  staff  discuss 
risks,  exposures  and  compliance 
with  unit  CIOs,  and  unit  CIOs  hud¬ 
dle  together  on  their  own  and 
with  CEOs  more  frequently 

The  goal  is  to  figure  out  “how  do 
you  actually  improve  the  risk  pos¬ 
ture  of  the  organization  with  the 
data  you  have,”  Bhimani  said. 
JPMorgan  Chase  also  is  trying 
organizational  change  that  in¬ 
volves  assigning  more  security 
experts  into  the  business  divisions 
instead  of  technology  units. 

“The  business  needs  to  be  able 
to  take  risks  to  make  money,  and 
our  job  is  to  help  them  find  a 
way  to  do  that,”  Bhimani  said. 
Another  change  for  JPMorgan 
Chase  will  be  a  zero-based  bud¬ 
get,  starting  each  year  with  no 
specifically  allotted  spending 
for  security  and  increasing. “You 
start  to  think  about  doing  things 
differently”  ■ 


Correction 


■  In  the  test  “ConSentry  edges 
out  Nevis  in  in-line  NAC  appliance 
test"  (Dec.  4,  page  58)  the 
ConSentry  LanShield  cost  should 
have  been  listed  as  $38,500. 
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_DAY  18:  Everything  is  frozen.  It’s  our  processes. 
They’re  inflexible.  We  can’t  respond  to  change. 

_Why  did  we  lock  ourselves  in  like  this?  Brrrr. 


- 


_DAY  19:  A  way  out.  IBM  WebSphere  middleware  for 
Business  Process  Management.  It  lets  us  streamline 
business  tasks.  We  can  test  our  processes  before  we 
roll  them  out  and  monitor  performance  once  they’re 
deployed,  and  reuse  is  easy  because  it’s  based  on  a 
service  oriented  architecture. 

.Everything’s  unfrozen  now.  Wow,  it’s  good  to  feel 
my  toes  again. 


WebSphere 


Take  the  BPM  with  SOA  Assessment  at: 

IBM.COM/TAKEBACKCONTROL/PROCESS 


IBM,  the  IBM  logo  and  WebSphere  are  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2006  IBM  Corporation.  All  rights  reserved. 
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A  nod  to  the  future 


Microsoft  Research,  which  turned  15  in  September,  has  700  researchers  around  the  globe  working 
on  countless  projects.  Here  is  a  look  at  a  handful  of  technologies  that  could  find  their  way  into 
Microsoft's  product  portfolio. 


Project 

Description 

Lab  group 

Bayesphone 

Uses  streaming  intelligence  to  see  if  a  user  can  take  a  call  by  fusing  together  such 
information  as  GPS  data,  ambient  sounds  to  detect  whether  the  user  is  having  a 
conversation,  and  information  about  the  user's  current  situation,  such  as  the  title  and 
location  of  the  user’s  meetings  and  their  attendees. 

Adaptive  Systems  and 
Interaction  Group 

Eclipse 

Improves  the  reliability  of  distributed  systems  by  adding  self-awareness,  self-restoration, 
and  “graceful  degradation"  to  today's  fault-tolerant  systems. 

Distributed  Systems 
Group 

Photo  Tourism 

Collaboration  between  Microsoft  researcher  Rick  Szeliski  and  University  of  Washington 
researchers  that  pieces  together  three-dimensional  models  using  pictures,  video  and 
audio.  A  preview  of  the  technology,  called  Photosynth,  is  at  www.nwdocfinder.com/6445. 

Interactive  Visual 
Media  Group 

Vigilante 

Technology  to  contain  worms  automatically  using  collaborative  detection  at  end  hosts, 
which  run  software  to  detect  worms  and  broadcast  self-certifying  alerts.  The  alerts 
trigger  host  to  generate  filters  that  block  infection. 

Security  and  Privacy 
Group 

Wild  Thing 

Encourages  use  of  wild  cards  (’)  anywhere  in  the  input  text  so  that  a  language  model 
can  find  the  best  expansion  and  speed  data  entry,  both  on  mobile  devices  and  the  desktop. 

Text  Mining,  Search, 
and  Navigation  Group 

Microsoft 

continued  from  page  1 

incubates  not  only  futuristic 
ideas  but  also  young  minds:  It 
hired  700  interns  worldwide  this 
year,  including  250  computer  sci¬ 
ence  Ph.D.  candidates  in  Red¬ 
mond,  Wash.,  alone,  which  is 
roughly  21%  of  all  the  computer 
science  Ph.D.  candidates  in  the 
United  States.  Microsoft  officials 
say  it’s  the  world’s  largest  Ph.D. 
internship  program  for  computer 
science. 

The  MSR  staff,  however,  is  not  just 
computer  scientists.  It  includes 
psychologists,  sociologists,  anthro¬ 
pologists  and  medical  doctors 
whose  job  is  as  much  to  push  the 
envelope  on  state-of-the-art  tech¬ 
nology  as  to  transfer  their  tech¬ 
nology  into  new  and  existing 
Microsoft  products. 

But  it  is  that  technology  transfer 

—  from  lab  to  shipping  product 

—  where  many  companies  are 
judged. 

“Technology  is  littered  with  ven¬ 
dors  that  have  cool  stuff  in  labs,” 
says  Ian  Campbell,  CEO  of  Nucle¬ 
us  Research.“Microsoft  as  an  inno¬ 
vator  is  good  for  creating  things 
behind  the  scenes  but  bad  at 
bringing  them  to  market.” 

Technology  transfer  is  only  one 
aspect  of  MSR,  which  has  a  dozen 
people  working  on  that  issue 
alone.  The  lab  also  has  a  laundry 
list  of  technology  innovations  that 
are  part  of  the  Microsoft  product 
portfolio,  including  storage  ad¬ 
vancements  to  support  the  back 


end  of  Microsoft’s  Windows  Live 
Mail  service  (formerly  HotMail), 
Vista’s  SuperFetch  feature  that 
keeps  tabs  on  a  PC’s  most  used 
applications  and  holds  them  at 
the  ready,  interactive  voice-re¬ 
sponse  technology  that  makes  the 
phone  an  Exchange  2007  client, 
and  the  TrueSkill  ranking  feature 
that  is  key  to  Xbox  Live’s  online 
gaming. 

In  addition, a  program  called  IP 
Ventures,  which  launched  in  May 
2005,  is  licensing  some  of  the 
lab’s  intellectual  property,  such 
as  face  detection  and  tracking 
and  gesture-based  text  input,  to 
start-ups  and  high-growth  com¬ 
panies,  which  release  it  into  the 
marketplace. 

The  first  company  to  surface 
with  a  product  has  been  Wallop, 
which  unveiled  a  social-network¬ 
ing  site  two  months  ago  that’s 
based  on  MSR  technology. 

Full  contact  R&D 

“Technology  transfer  is  a  full- 
contact  sport,”  says  Rick  Rashid, 
senior  vice  president  in  charge  of 
MSR  and  the  lab’s  founder. “It  can 
happen  by  accident,  but  mostly  it 
is  hard  work.” 

Rashid,  who  came  to  Microsoft 
in  1991  from  Carnegie  Mellon 
University,  says  the  lab’s  hard  work 
is  evident  in  everything  that  repre¬ 
sents  Microsoft  today 

“There  are  virtually  no  prod¬ 
ucts  Microsoft  produces  today 
that  have  not  either  taken  tech¬ 
nology  from  research,  come 
directly  out  of  research,  or  been 


built  using  the  tools  and  tech¬ 
nologies  we’ve  created  in 
research,"  he  says. 

And  he  says  what  is  happening 
in  the  labs  today  suggests  what 
might  be  possible  in  another  five 
to  10  years;  for  example,  its  work 
on  sensing  technology  includes  a 
project  called  the  SenseCam,  a 
sort  of  virtual  memory 

“The  idea  behind  SenseCam  is 
that  I  can  hang  something  around 
my  neck  that  has  a  180-degree 
lens  and  can  take  pictures  of  what 
1  see,”  Rashid  says.’Tt  has  tempera¬ 
ture  sensors,  infrared  sensors  and 
a  whole  bunch  of  stuff  with  the 
idea  that  it  can  keep  track  of  some 
period  of  time.” 

He  says  Microsoft  is  working 
in  trials  with  the  medical 
community  to  support  memory- 
loss  patients,  and  talking  about 
the  implications  of  the  technol¬ 
ogy  with  police  and  military 
officials. 

Another  project  at  MSR  is  the 
TouchLight  interface,  which  is 
being  developed  by  researcher 
Andy  Wilson.  It  uses  computer 
vision  and  sensing  to  enable  new 
applications,  including  gesture- 
based  inputs  that  replace  the 
mouse  and  keyboard. 

TouchLight  uses  a  projector 
and  a  camera  to  project  a  rec¬ 
tangular  white  box  onto  a  table- 
top.  During  a  demonstration  at 
MSR’s  15th  anniversary  celebra¬ 
tion  in  September,  Wilson  used 
his  hands  to  interact  with 
objects  projected  into  the  “desk¬ 
top”  such  as  a  bouncing  ball.  A 
map  was  brought  up  and 
Wilson  zoomed  in  and  out  and 
rotated  the  map  by  moving  his 


hands  on  the  desktop.  An  inte¬ 
grated  Bluetooth-like  technolo¬ 
gy  called  Blue  Rendezvous  let 
Wilson  lay  a  camera  phone  on 
the  surface  and  have  the  pic¬ 
tures  automatically  down¬ 
loaded  to  the  computer.  Wilson 
said  the  TouchLight  technology 
could  have  applications  for 
such  things  as  videoconferenc¬ 
ing  and  augmented  reality. 

“This  uses  a  lot  of  computer 
vision  technology  which  we  be¬ 
gan  developing  10  years  ago,  but 
as  we  move  into  the  digital  era  we 
have  more  and  more  ideas  how  to 
apply  computer  vision,”  says  Dan 
Ling,  director  of  Microsoft’s  lab  in 
Redmond. 

Microsoft  also  has  a  number  of 
projects  focused  on  distributed 
systems  in  its  Silicon  Valley  lab, 
which  it  opened  five  years  ago. 
While  the  lab  does  not  focus 
strictly  on  corporate  issues, 
many  of  its  efforts,  such  as  the 
Dryad  Project,  apply  to  corpo¬ 
rate  networks. 

Dryad  focuses  on  writing  and 
managing  distributed  applica¬ 
tions  and  making  it  easy  to  take  a 
single-machine  program  and  con¬ 
vert  it  for  execution  in  a  distrib¬ 
uted  environment. 

“It  is  essentially  building  the 
infrastructure  and  programming 
model  to  make  those  applications 
easy  to  write  without  having  to 
worry  about  all  the  gory  details,” 
says  Roy  Levin, distinguished  engi¬ 
neer  and  director  of  the  Silicon 
Valley  lab. 

Dryad  scales  from  multicore 
single  computers,  to  small  clus¬ 
ters  and  to  data  centers  with 
thousands  of  computers.  The 


Dryad  execution  engine  sched¬ 
ules  the  use  of  computers  and 
their  CPUs,  recovers  from  com¬ 
munication  or  computer  fail¬ 
ures,  and  transports  data  among 
operations,  which  can  number  in 
the  thousands  and  include  ter¬ 
abytes  of  data. 

But  that  is  only  one  of  many 
projects  in  six  research  areas  at 
the  lab. 

Other  notable  projects  include  a 
privacy  engine  that  can  filter  data 
kept  in  statistical  databases,  such 
as  those  run  by  the  U.S.  Census 
Bureau.  The  project  is  exploring 
privacy  controls  that  range  from 
full  disclosure  to  locking  down  all 
information. 

Another  project,  Nocturnal,  is  a 
social  networking  tool  focused  on 
letting  users  share  Web  site  book¬ 
marks  as  a  feature  of  instant-mes¬ 
saging  systems. 

Levin  says  the  projects  reflect  his 
lab’s  balance  between  short-term 
projects  to  benefit  shipping  prod¬ 
ucts  and  futuristic  technologies. 

“Work  we  have  done  on  Web 
search  was  focused  on  the  near 
term,  while  what  we  have  done 
around  privacy  is  longer  term,” 
Levin  says. 

That  focus  stretches  across  all 
of  MSR,  as  technology  contin¬ 
ues  to  stretch  the  bounds  of 
possibility. 

“In  the  technology  field  if  you’re 
not  able  to  change,  if  you’re  not 
able  to  adapt,  if  you're  not  able  to 
innovate,  you’re  not  going  to  be 
around,”  Rashid  says.  “One  of  the 
things  1  like  to  say  is,  the  reason 
you  have  Microsoft  Research  is  so 
Microsoft  will  still  be  here  10  or  15 
years  from  now”  ■ 


XenSource  expands 

BY  JENNIFER  MEARS 

Organizations  preparing  to  move  to  virtual  environments  will  find 
broader  options  in  2007,  as  competitors  to  market  leader  VMware 
emerge  with  enhanced,  enterprise-ready  offerings. 

One  example  is  XenSource,  which  on  Monday  is  expected  to  unveil 
formally  a  handful  of  products  that  range  from  free  software  to  an  enter¬ 
prise-caliber  package  that  includes  management  tools  and  support  for 
virtual  machines. 

XenSource,  the  company  formed  to  provide  commercial  support  for 
the  open  source  Xen  virtualization  software,  introduced  XenEnterprise 
a  little  over  a  month  ago.  By  hooking  into  the  virtualization  capabilities 
built  into  new  processors  from  Intel  and  AMD,  XenEnterprise  supports 
both  Windows  and  Linux  virtual  machines.  Previously,  XenEnterprise 
only  ran  Linux. 

In  addition  to  XenEnterprise,  XenSource  is  introducing  XenServer  for 
Windows  server  environments,  and  is  joining  VMware  and  Microsoft  in 
rolling  out  a  free  offering, XenExpress.Virtual  Iron  also  introduced  a  free 
virtualization  package  on  Monday 

XenSource  executives  say  all  three  products  are  built  on  the  same 
architecture,  letting  users  easily  move  among  them.  All  run  on  any  x86 
hardware,  although  organizations  looking  for  Windows  support  must 
run  the  software  on  new  virtualization-enabled  x86  machines.* 
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_DAY  12:  No  one  can  get  real-time  answers.  No  one  can 
collaborate.  Unmanaged  public  IM  is  a  security  nightmare. 

_Gil  brought  in  a  “collaboration  accelerator.”  I 
said  it  looks  like  a  cannon.  He  said  I  had  a  small  mind. 

_DAY  14:  The  answer:  IBM  Lotus®  Sametime®  7.5.  It’s 
not  just  IM  and  Web  conferencing,  it’s  an  affordable 
platform  for  running  the  business  in  real  time.  It’s 
encrypted.  Has  tons  of  features  like  VoIP  and  location 
awareness.  And  it  works  seamlessly  with  leading  public 
IM  networks.  Everyone  has  real-time  answers  now. 

_We’ve  even  recovered  most  of  our  employees. 


Lotus. 


Download  the  Lotus  Sametime  7.5  demo  at: 

IBM.COM/TAKEBACKCONTROL/SAMETIME 


IBM,  the  IBM  logo,  Lotus  and  Sametime  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2006  IBM  Corporation.  All  rights  reserved.  Information  regarding 

Lotus  Sametime  7.6  is  subject  to  change  by  IBM  without  notice 
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business,  spearheading  efforts  to 
help  the  services  organization 
adopt  a  structure  that  reduces  its 
dependency  on  individual  con¬ 
sultants’  skills  and  increases  its 
use  of  standardized  technologies 
and  processes. 

IBM  had  existing  fraud  man¬ 
agement  technology  that  it  now 
can  wrap  easily  into  a  project  to 
deliver  a  claims  management  sys¬ 
tem  for  an  insurer.  “That’s  an  ex¬ 
ample  of  a  technology  asset  in¬ 
serted  into  what  otherwise  might 
be  a  routine  implantation  of  a 
claims  system,”  Morris  says. 

Over  the  last  two  years,  IBM  has 
worked  to  set  up  development 
labs  around  the  world  that  are 
dedicated  to  services  and  to  build 
out  a  range  of  standard  processes 
and  methods.  In  September,  IBM 
began  unveiling  services  prod¬ 
ucts  that  take  advantage  of  these 
standardization  efforts.  Among 
the  first  to  debut  are  a  network 
convergence  bundle  to  help  cus¬ 
tomers  determine  their  conver¬ 
gence  readiness,  and  an  IP  tele¬ 
phony  offering  focused  on  design¬ 
ing,  deploying  and  managing  IP 
telephony  infrastructure. 

The  services  products  contain 
blueprints  for  project  elements  — 
such  as  requirements  definition, 


EYE  ON  THE  CARRIER 

Johna  Till  Johnson 


OK,  you’re  in  the  home  stretch. 
You’ve  issued  your  telecom  RFP 
assessed  the  responses  and  con¬ 
cluded  your  contract  negotia- 
tions.You’ve  got  rates  you  can  live 
with  and  services  that  represent  a 
net  improvement  over  what  you’re 
getting  now.  You ’re  done,  right? 

Not  so  fast!  The  last,  but  crucial, 
step  in  negotiating  a  telecom  RFP 
is  to  nail  down  the  contract  terms 
and  conditions.  Actually,  it’s  not 
exactly  a  last  step.You  should  have 
been  stressing  the  service-level 
agreements  (SLA,)  and  overall  Ts- 
and-Cs  discussions  with  carriers. 
But  what  tends  to  happen  is  that 
both  sales  folk  and  techies  leave  a 


A  services  focus 

16-year  IBMer  Robert  Morris  spent  two  years  with  Global 
Services  before  returning  to  the  research  side,  where  today 
he's  spearheading  IBM's  new  services-related  R&D  efforts. 

IBM’s  research  division  at  a  glance 

First  lab  established:  1945 
Worldwide  labs:  Eight 

Employees:  3,200  _ 

Annual  R&D  budget:  Between  $5  billion  and  $6  billion 

Nobel  Prize  winners:  Five 

Patents:  40,000 


implementation  methodologies 
and  testing  plans  —  so  IBM’s  ser¬ 
vices  staff  can  duplicate  the  tac¬ 
tics  they  used  for  customers 
around  the  globe  and  minimize 
labor-intensive  customizations. 

Products  such  as  these  comple¬ 
ment  the  work  Morris  did  in  the 
services  division,  where  he  fo¬ 
cused  on  assets  innovation  —  try¬ 
ing  to  figure  out  how  to  work  tech¬ 
nology  assets  into  IBM’s  services 
business  to  deliver  higher-quality 
services  more  quickly  and  afford¬ 
ably  He  not  only  worked  directly 
with  services  clients  but  also 
made  efforts  to  jump-start  an  inter¬ 
nal  transformation  at  IBM.  A  key 
part  of  his  job  was  to  get  IBM  em¬ 
ployees  from  different  parts  of  the 
company  such  as  hardware,  soft¬ 
ware,  research  and  consulting 


lot  of  this  conversation  to  the 
legal  eagles.  And  that’s  fine,  as 
long  as  you  and  your  legal  team 
are  clear  on  what  clauses  to  shoot 
for  in  the  final  discussion.  Here 
are  some  key  ones: 

•  The  right  to  walk  if  you’re  un¬ 
happy,  with  no  termination 
penalty.  This  is  the  big  kahuna 
clause  in  telecom  contracts.  If 
you  can  negotiate  a  clause  that 
says  you  can  terminate  the  con¬ 
tract,  for  any  reason,  with  no  ter¬ 
mination  payments,  you’re  home 
free.  You  don’t  need  any  of  the 
other  clauses  in  this  list. 

But  realistically,  that’s  not  likely 
to  happen. So  your  challenge  is  to 
define  the  circumstances  under 
which  termination  payments  will 
not  apply  Generally  this  has  to  be 
a  fairly  catastrophic  situation, 
such  as  the  network  overall  failing 
to  perform.  (One  of  my  clients 
calls  this  the  “sucky  network” 
clause.)  The  gotcha  is  that  you 
need  to  define“failure  to  perform” 


areas,  to  collaborate. 

“IBM  has  so  many  assets  that 
could  be  used  for  services,  but 
being  such  a  large  company,  it 
takes  somebody  to  create  links 
that  might  not  otherwise  have 
been  made.  That  was  a  big  part  of 
my  job,”  Morris  says. 

Getting  involved 

IBM’s  60-year-old  research  divi¬ 
sion,  which  consists  of  3,200  sci¬ 
entists  in  eight  labs  and  six  coun¬ 
tries,  traditionally  has  contributed 
technologies  to  IBM’s  software 
and  hardware  business  units.  The 
emphasis  on  using  R&D  assets  to 
improve  its  services  operations  is 
a  new  focus  that  has  emerged  as 
IBM’s  services  arm  has  grown  to 
become  the  company’s  leading 
revenue-producing  business  unit. 


in  ways  that  are  both  meaningful 
to  you  and  objectively  verifiable. 
One  circuit  going  down  once  in  a 
while  isn’t  failure  to  perform  — 
but  losing  connectivity  from  all 
sites  to  your  data  center  for  sev¬ 
eral  hours  might  well  be. 

•  Failure  to  comply  with  SLAs. 
You  need  to  spell  out  what  hap¬ 
pens  if  the  telco  fails  to  comply 
with  defined  SLAs  in  one  of  two 
scenarios:  chronically  (cases  in 
which  the  telco  misses  the  SLA 
somewhat,  on  an  ongoing  basis, 
but  is  still  within  10%  to  20%  of 
stipulated  performance)  or 
acutely  (cases  in  which  the  telco 
misses  the  SLA  drastically,  such  as 
disconnecting  your  entire  data 
center,  as  noted  above).  Most 
companies  will  shoot  for  refunds 
in  the  first  case  and  the  right  to 
walk  in  the  second. 

•  Mergers-acquisitions-divesti- 
tures  clause.  This  gives  you  the 
right  to  renegotiate  the  contract 
if  either  you  or  the  telco  substan- 


“We  saw  something  was  hap¬ 
pening  in  services”  in  2004,  when 
services  accounted  for  almost 
half  of  IBM’s  business,  Morris 
recalls.“Research  was  doing  some 
work  but  really  not  very  much. 
Also,  technology  was  not  playing 
anywhere  near  as  much  of  a  role 
in  our  services  business  as  we 
knew  it  could.” 

Today  IBM’s  services  engage¬ 
ments  continue  to  account  for 
more  revenue  than  do  the  com¬ 
pany’s  software  and  hardware 
lines  of  business.  In  2005,  Global 
Services  contributed  $47.4  billion, 
or  52%,  of  IBM’s  $91.1  billion 
annual  revenue. 

But  while  more  than  half  of 
IBM’s  revenue  comes  from  ser¬ 
vices,  profit  is  another  story  Soft¬ 
ware  and  hardware  have  much 
higher  profit  margins  than  ser¬ 
vices:  In  the  most  recent  quarter, 
services  had  a  28%  profit  margin 
compared  with  38%  for  hardware 
and  a  whopping  85%  for  software. 

If  IBM  can  find  ways  to  be  more 
efficient  in  services,  the  gains  will 
bolster  its  bottom  line.  That’s  the 
thinking  that  led  Morris,  who  had 
been  with  IBM  for  16  years,  to 
move  to  the  services  side  of  the 
house  and  learn  the  business.Two 
years  later  he’s  back  in  the  re¬ 
search  division  and  heading  up 
services  research. 

Today  a  substantial  portion  of 


tially  restructure  your  business 
operations  during  the  life  of  the 
contract.  For  example,  if  your 
company  sells  off  the  division 
responsible  for  most  of  the  traf¬ 
fic,  you  shouldn’t  be  bound  by 
the  previous  minimum  annual 
revenue  commitment. 

•  Technology  migration.  This  is 
particularly  important  in  a  world 
that’s  moving  to  VoIPYou’ll  want 
to  stipulate  what  happens  if  your 
voice  traffic  drops  below  a  cer¬ 
tain  amount  because  of  VoIP 
Generally,  carriers  will  maintain 
your  rates  as  long  as  you  meet 
overall  revenue  commitments 
with  them  —  that  is,  if  your  data 
use  goes  up  correspondingly  as 
your  voice  drops.  But  don’t 
assume  this  —  negotiate  it. 

Johnson  is  president  and  chief 
research  officer  at  Nemertes 
Research ,  an  independent  technol¬ 
ogy  research  firm.  She  can  be 
reached  at  johna@nemertes.com. 


the  research  division  is  working 
on  services-related  issues,  such  as 
security,  problem  determination 
and  workforce  management.“It’s 
very  exciting,”  Morris  says,  “It’s  an 
incredibly  open  territory  to  bring 
technology  to  these  problems.  We 
are  having  an  incredible  impact 
on  business.” 

Not  every  new  research  project 
ends  up  a  candidate  for  bundling 
into  other  services  engagements. 
But  Morris  and  his  team  consider 
the  broader  applicability  of  such 
projects  as  a  fire-management 
solution  IBM  researchers  are  de¬ 
veloping  for  state  authorities  in  the 
western  United  States.  IBM’s  math¬ 
ematics  experts  created  algor¬ 
ithms  to  optimize  the  deployment 
of  fire  trucks,  planes  and  firefight¬ 
ers  as  available  road  access  and 
other  conditions  change. 

“It’s  teaching  us  some  things 
about  the  fast  solving  of  very  large 
mathematical  problems,”  Morris 
says.  IBM  eventually  will  deter¬ 
mine  if  it  makes  sense  to  use  the 
algorithms  to  develop  a  disaster- 
management  system  for  the  pub¬ 
lic  sector. “We’ve  been  working  on 
disaster  management  for  years  in 
the  context  of  data  centers,  but 
we’ve  never  done  it  in  the  context 
of  a  forest.  It  broadens  our  hori¬ 
zons  and  opens  our  view  to  new 
classes  of  problems.” 

For  researchers,  tackling  ser¬ 
vices  projects  requires  a  different 
style  of  work.  Instead  of  working 
somewhat  in  isolation,  in  a  lab  or 
an  office,  researchers  are  much 
more  involved  with  clients  and 
spend  considerable  time  in  the 
field. “It’s  quite  fascinating.  It’s  a 
real  rush  to  get  into  a  client  situa¬ 
tion  and  learn  what  they  need  to 
create  a  competitive  advantage,” 
Morris  says.  “It  requires  a  different 
mind-set,  but  pretty  much  every¬ 
one  who  tries  it  gets  hooked  on  it.” 

Part  of  what’s  addicting  for  re¬ 
searchers  is  that  they  get  more 
timely  feedback  on  their  efforts, 
Morris  says.  “It  was  a  very  long 
feedback  loop.  Now  it’s  an  almost 
instantaneous  feedback  loop.  We 
go  out  there,  we  brainstorm  with 
our  clients,  and  we  come  up  with 
solutions  on  the  spot.  Because  of 
the  Web  and  because  of  software 
technology,  and  things  like  [ser¬ 
vice-oriented  architecture],  we 
can  implement  those  solutions 
very  quickly”  he  says. 

There’s  more  immediate  gratifi¬ 
cation.  “Once  you  get  hooked  on 
that,  it’s  hard  to  go  back  to  the 
three-  or  four-year  gratification 
mode,”  Morris  says.  ■ 


More  telecom  contract  tips 


Call  Details 
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Nobody  can  manage  your  VoIP  Performance  jf||i^ 
converged  environment  Like  Fluke  Networks, 


Get  insight  into  your  network  in  48  hours. 
Register  at  www.flukenetworks.com/48hrs. 
Hurry,  this  offer  ends  March  30,  2007. 


Give  us  48  hours  to  do  a  free,  no  strings  attached, 
assessment  of  voice  and  data  performance  in  your 
converged  network  and  see  for  yourself. 

Ever  wonder  how  voice  and  data  traffic  are  coexisting 
in  your  infrastructure  and  how  one  may  be  affecting  the 
performance  of  the  other?  As  the  only  vendor  to  provide 
edge-to-core  visibility  of  VoIP,  data  applications  and 
the  general  network  infrastructure,  we'd  like  to  give  you 
insight  that  you've  never  seen  before  through  this  limited 
time  special  offer. 

Having  network,  application,  and  VoIP-specific 
analytics  allows  you  to  clearly  see  how  data  traffic  is 
affecting  call  quality,  and  how  VoIP  traffic  is  affecting 
data  quality,  a  significant  advantage  over  products  that 
look  only  at  voice.  This  is  critical  to  enterprise  perfor¬ 
mance  management  as  voice  and  data  converge,  since 
each  has  the  potential  to  impact  the  other  across  the 
LAN,  WAN,  and  multi-tier  network  environments. 
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VoIP  eclipse 

As  IP  telephony  products  improved  over  the  last  several  years, 
and  users  gained  more  confidence  in  the  technology,  IP-based 
PBX  lines  have  surpassed  digital  TDM  lines  in  terms  of 
percentages  of  worldwide  revenue, 


VoIP 

continued  from  page  1 

Not  that  telecom  professionals 
are  entirely  abandoning  more 
than  50  years  of  digital  PBX 
technology.  Many  are  mixing  IP 
and  TDM  technologies  as  they 
wean  employees  off  of  the  old 
phone  equipment. 

The  shift  in  market  dominance 
from  TDM  to  IP  really  became 
apparent  in  the  first  quarter  of 
2006,  according  to  research  firm 
Synergy  Research  Group.  Two 
years  ago,  only  a  third  of  business 
phone  system  lines  were  IP  but 
this  grew  to  more  than  60%  by  this 
year’s  third  quarter.  (Enterprises 
have  spent  $7.7  billion  on  tele¬ 
phony  in  the  first  three  quarters  of 
2006, according  to  Synergy). 

So  what  has  prompted  the  shift? 

“What  changed  over  the  past  few 
years  is  that  nothing  changed,” 
Riggs  says.  Products  from  compa¬ 
nies  such  as  3com,  Avaya,  Cisco 
and  Nortel  have  matured,  not  un¬ 
dergoing  the  disruptive  changes 
seen  in  the  early  2000s.  Many  of 
the  questions  regarding  feature 
sets,  stability  and  quality  have 
been  addressed,  he  adds. 

IP  telephony  products  and  stan¬ 
dards  are  at  the  point  where  some 
organizations  are  even  comfort¬ 
able  with  open  source  technology 

Amazon.com  announced  earl¬ 
ier  this  year  that  it  is  deploying  the 
Pingtel  SIPxchange  Enterprise 
Communications  System, an  open 
source  IP  PBX,  based  on  Linux 
servers  and  Session  Initiation 
Protocol  phones,  to  support  thou¬ 
sands  of  users  at  its  Seattle  head¬ 
quarters.  Sam  Houston  State 
University  in  Texas  and  the 
Southern  Co.  are  going  live  with 
the  open  source  Asterisk  VoIP  plat¬ 
form,  in  enterprisewide  rollouts 
and  in  small-pocket  deployments. 

“We  have  a  lot  more  peace  of 
mind  with  the  open  source  sys¬ 
tem,”  says  Aaron  Daniel,  senior 
voice  analyst  at  Sam  Houston 
State  University 

Following  the  leader 

Many  companies  embarking  on 
IP  telephony  projects  are  follow¬ 
ing  the  lead  of  early  adopters, 
such  as  Bank  of  America,  which  in 
2004  announced  plans  to  deploy 
180,000  IP  phones  to  all  of  its  U.S. 
retail  branches  and  offices. 

With  800  branches  nationwide 
hooked  into  Bank  of  America’s 
centralized  Cisco  CallManager- 
based  phone  systems,  the  project 
now  runs  at  full-steam,  just  as 


more  enterprises  start  taking  on 
large-scale  VoIP  rollouts. 

“You  see  a  lot  more  VoIP  sto¬ 
ries  in  the  marketplace  now;" 
says  Craig  Hinkley,  senior  vice 
president  and  manager  of  strat¬ 
egy,  architecture  and  security  for 
enterprise  access  and  desktop 
services  at  Bank  of  America. 
“Were  we  the  early  adopter,  or 
the  front-runner?  Maybe.  But  I 
believe,  based  on  the  size  of  our 
deployment,  we  needed  that 
[large  amount]  of  time  because 
we  had  such  a  massive  transfor¬ 
mation  to  undergo.” 

While  Cisco’s  IP  telephony  tech¬ 
nology  was  deemed  viable  for  de¬ 
ployment  two  years  ago  by  Hink¬ 
ley  and  his  technology  team, 
incremental  improvements  in  reli¬ 
ability  features  and  interoperabil¬ 
ity  have  since  been  introduced. 

“You  would  hope  the  technol¬ 
ogy  is  more  stable  and  more 
available  and  more  reliable  than 
it  was  a  year  or  two  ago,”  he  says. 
“There’s  a  better,  faster,  cheaper 
paradigm  that  Cisco  and  all  net¬ 
working  vendors  are  pushed 
towards  from  customers.” 

This  means  better  communi¬ 
cation  tools  for  the  bank’s  asso¬ 
ciates,  which  equates  to  im¬ 
proved  customer  service.  On  the 
operations  side,  the  bank  is  see¬ 
ing  significant  cost  reductions 
in  telephony  maintenance,  ser¬ 
vice  provisioning,  and  adds/ 
moves/changes  with  the  Cisco 
VoIP  gear,  Hinkley  adds. 

Many  large  rollouts  starting 
now  are  also  trending  towards  a 
single-provider  for  data  and 
voice,  as  with  Bank  of  America’s 
all-Cisco  project.  Easier  integra¬ 
tion  between  the  phone  system 
and  data  network  is  the  reason, 
some  customers  say.  Deploy¬ 
ments  in  new  buildings  without 
incumbent  voice  and  data  net¬ 


works  are  primary  targets  for  sin¬ 
gle-vendor  convergence. 

“Conceptually  we  felt  we  could 
be  successful  with  either  an  inte¬ 
gration  of  Cisco  and  Avaya  prod¬ 
ucts,”  or  an  end-to-end  Nortel 
package,  says  Robert  Kraft,  vice 
president  of  enterprise  services 
for  The  New  York  Times,  which  is 
building  a  network  of  3,600  IP 
phones  from  Nortel,  along  with 
new  router,  switch  and  security 
products  from  the  vendor. 

The  issues  of  standards  and  in¬ 
teroperability  were  not  a  concern 
with  a  multi-vendor  package,  Kraft 
says;  he  felt  a  single-vendor 
approach  offered  tighter  integra¬ 
tion  of  applications  and  security 
along  with  voice  and  messaging. 

OK  to  VoIP,  but  hold  the  phone 

“When  an  enterprise  goes  to  IP 
telephony  they  either  stick  with 
their  incumbent  —  a  Nortel  or  an 
Avaya  —  or  they  bring  in  a  new 
vendor, such  as  Cisco,” says  Jeremy 
Duke,  vice  president  of  Synergy 
Research.  Either  way  he  says,  users 
must  operate  in  a  hybrid  technol¬ 
ogy  mode  at  some  point. 

“It  can  allow  you  to  deploy  as 
much  IP  as  you  want,  incremen¬ 
tally)  Duke  says  of  hybrid  IP/ 
TDM  systems.  “[This]  also  lets 
[users]  gracefully  migrate  off  of 
older  systems.” 

Such  deployments  are  key 
where  public  safety  and  reliabil¬ 
ity  are  considerations,  or  where 
there  are  cost  concerns  about 
rolling  out  tens  of  thousands  of 
new  phones. 

IP  handsets  at  consumer  prod¬ 
ucts  giant  Kimberly-Clark  “will  be 
more  of  an  exception,  rather  than 
the  rule”  in  that  company’s  VoIP 
deployment, says  Mike  Pbst, senior 
manager  of  IT  communication 
services.  The  Irving,  Texas,  com¬ 
pany  this  year  began  replacing 


stand-alone  PBX  systems  at  more 
than  200  sites  with  Avaya  VoIP 
gateways,  which  tie  back  to  a  cen¬ 
tralized  data  center  for  call  pro¬ 
cessing  and  messaging  applica- 
tions.Avaya  digital  desk  phones  in 
most  locations  will  remain  the 
same.  “We  didn’t  see  a  great 
amount  of  value  in  deploying  IP 
phones  widely  Post  says. 

With  IP  handsets  starting  in  the 
$200  to  $400  range  in  some  cases, 
companies  say  there  are  signifi¬ 
cant  savings  in  a  PBX-replace- 
ment  project  by  connecting  exist¬ 
ing  digital  desktop  phones  to  VoIP 
gateways,  which  can  be  tied  to  IP- 
based  call  processing  servers  in  a 
network  data  center.  This 
approach  still  gives  users  the  oper¬ 
ational  efficiency  and  cost  savings 
of  eliminating  multiple  PBXs  at 
sites  by  consolidating  call  pro¬ 
cessing.  In  Kimberly-Clark’s  case, 
the  company  can  expect  to  save 
as  much  as  $10  million  by  not 
deploying  all  IP  phones  to  its 
57,000  employees. 

Using  a  hybrid  approach  also 
can  save  on  wiring  costs  by  elimi¬ 
nating  the  need  to  replace  two- 
pair  RJ-11  cabling  with  Ethernet 
wiring,  and  the  required  in-line 
power  and  backup  systems. 

“A  lot  of  our  schools  are  over  100 
years  old  so  we  don’t  have  the 
[cabling]  infrastructure  at  this 
point  to  go  100%  IP,”  says  Katie 
Zalewski,  telecom  director  at  the 
Chicago  public  schools, which  are 
spending  $28  million  to  replace 
19,000  Centrex  handsets  with  dig¬ 
ital  phones  attached  to  a  central¬ 
ized  Mitel  IP  PBX  system  over  the 
school  system’s  WAN. 

For  many  customers,  the  impe¬ 
tus  to  go  with  VoIP  is  consolida¬ 
tion  of  disparate  phone  systems, 
and  centralized  management  — 
not  flashy  desktop  IP  handsets 
with  built-in  Web  browsers. 

“We  have  a  lot  of  infrastructure 
out  there  [that’s]  just  not  inte¬ 
grated,”  says  Bill  Hanna,  vice  presi¬ 
dent  of  IT  infrastructure  at  the 
University  of  Pittsburgh  Medical 
Center,  which  plans  to  install  more 
than  66,000  IP  digital  and  analog 
phone  lines  from  Alcatel.  The 
organization  will  crunch  hun¬ 
dreds  of  PBXs  and  30  voice  mail 
systems  into  a  few  blade-server- 
based  Alcatel  OmniPCX  VoIP  sys¬ 
tems.  In  hospitals,  where  dial  tone 
failure  is  not  an  option,  analog 
and  digital  handsets  will  remain, 
while  back-office  deployments 
will  have  IP  sets  on  desktops.  “It 
will  be  about  a  33%  mix  across 
the  board,”  he  says. 


People  power 

Telecom  professionals  who 
have  successfully  moved  to  IP  or 
are  about  to  start  the  transition, 
say  that  recognizing  the  personal 
nature  of  the  phone  is  as  impor¬ 
tant  as  the  myriad  technical  and 
system  considerations. 

“You’re  not  just  changing  the 
technology  in  the  back  room,” 
with  IP  telephony  Hinkley  says. 
“What  you’re  doing  has  an  impact 
on  the  way  associates  are  using 
the  technology  every  day;  it’s  a  lit¬ 
tle  more  disruptive.” 

Hinkley  says  the  IT  staff  had  to 
learn  how  branch  employees 
used  phones  in  their  daily  work 
routines  and  what  benefits  IP  tele¬ 
phony  might  bring. 

“We’ve  had  some  lessons 
learned  around  the  training 
and  how  we  communicate  the 
use  of  the  technology”  he  says. 
“We’re  making  sure  associates 
understand  the  training  around 
how  we’re  now  using  the  new 
phone  system  to  execute  busi¬ 
ness  processes,  and  not  just  as  a 
phone  with  basic  features  and 
functions.” 

But  before  this  work  begins,  IT 
staffs  must  prepare  their  own  peo¬ 
ple  for  the  shift.  Large  organiza¬ 
tions  that  ran  separate  telecom 
and  datacom  departments  in  the 
past  say  this  is  the  most  important 
move  before  any  steps  to  deploy 
VoIP  are  made. 

A  year  before  The  New  York 
Times  even  chose  its  vendor  for  IP 
telephony,  the  voice  and  data  IT 
staffs  were  merged. At  first, general 
cross-training  occurred  among 
administrators  and  technicians. 
Then  the  training  became  more 
specific  once  Nortel  was  selected. 

“We  not  only  converged  tradi¬ 
tionally  separate  voice  and  data 
technical  folks,  but  we  have  reor¬ 
ganized  the  entire  support  and 
operations  teams  surrounding 
this,”  Kraft  says.  ■ 
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IP  phones  Buyer's  Guide 

This  Buyer's  Guide  includes  detailed 
product  information  on  endpoint  devices 
used  to  access  IP-PBX  voice  services. 
These  products  can  be  desk  phones  — 
physical  devices  that  plug  into  the  net¬ 
work  via  an  RJ-445  jack  —  or  soft 
phones  —  software  clients  that  load 
onto  network-connected  devices. 
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With  competition  heating  up,  how  will 
Air  China  open  new  doors  abroad? 


at&t 

Your  world.  Delivered.'” 


Dynamic  Networking.  Take  Flight. 

Competition  can  be  fierce.  With  competitors  giving  chase  in  the  domestic  market, 
Air  China  was  fighting  to  stay  on  top.  But  it  couldn't  hamper  its  ability  to 
serve  more  destinations  abroad.  The  plan?  Retool  its  IT  systems  to  streamline 
operations,  accommodate  expansion,  and  provide  more  of  the  amenities  that 
travelers  expect.  The  solution:  Dynamic  Networking  from  the  new  AT&T. 

To  address  these  challenges,  the  new  AT&T  created  a  reliable,  scalable  solution 
that's  handling  millions  of  transactions  per  day.  All  while  delivering  real-time 
access  to  data.  Air  China  is  seeing  immediate  returns  by  optimizing  its 
reservations,  route  scheduling  and  frequent  flyer  programs.  And  the  renewed 
vigor  is  keeping  this  leader  on  top. 

To  learn  more  about  how  Air  China  and  other  businesses  have  found  success 
with  Dynamic  Networking,  visit  att.com/profiles. 
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Dynamic  Networking  from  the  new  AT&T 

includes  redundancies  and  security  failsafes  from  the  ground  up 
to  help  ensure  business  continuity,  operational  readiness  and 
data  recovery.  With  easy  provisioning  of  VPN  solutions  for  secure, 
remote  access  from  almost  anywhere.  So  no  matter  what  comes 
down,  Dennis  knows  his  enterprise  can  be  up  and  running.  Learn 
how  Dynamic  Networking  can  enable  your  business. 


att.com/networking 
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The  World  According  To 

I  want  a  backup  for  our  backup. 

A  contingency  for  our  contingency. 
When  the  unexpected  hits, 
when  the  storm  comes, 
we'll  still  be  standing. 

This  is  my  world. 

My  world  runs  on 
Dynamic  Networking. 


Dennis 
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SCO  Group’s  last  gasp? 

Latest  IBM,  Novell  moves  don’t  bode  well  for  SCO 


NET  INSIDER 

Scott  Bradner 


At  the  beginning  of  the  year  I 
predicted  that  SCO  Group  would: 
1)  get  its  case  against  IBM  thrown 
out  by  the  judge,  2)  fail  to  show 
any  examples  of  protected  code 
and  3)  declare  (financial)  bank¬ 
ruptcy,  but  not  edge  closer  to  a 
2007  trial  date. 

With  a  few  weeks  left  in  the  year, 
it  looks  like  1  got  the  predictions 
wrong,  but  maybe  only  by  a  few 
months.  Here  is  a  quick  history 
lesson  for  those  who  have  been 
cave  dwellers  for  the  last  few 
years  (or  who  deal  only  with 
Windows  computers).  In  March 
2003,  SCO  filed  suit  against  IBM 
claiming  it  had  violated  SCO 


copyrights  by  putting  Unix  code 
into  Linux  and  asking  for  billions 
of  dollars  in  damages.  SCO  then 
sued  AutoZone,  DaimlerChrysler, 
Red  Hat  and  Novell.  SCO  sent  let¬ 
ters  to  many  companies  running 
Linux  systems  asking  them  to 
stop  using  Linux.  The  AutoZone 
and  DaimlerChrysler  suits  have 
been  dismissed.  In  the  years  since 
filing  the  IBM  suit,  SCO  has 
claimed  that  as  many  as  a  million 
lines  of  code  were  illegally  put 
into  Linux  by  IBM.  But  when  push 
came  to  shove,  SCO  identified  326 
lines  of  Linux  code  to  the  court 
(which  SCO  will  not  make  pub¬ 
lic)  as  infringing  its  copyright. 
SCO  also  launched  a  full-force 
attack  on  the  GNU  General  Public 
License  (GPL),  claiming  that  it 
was  unconstitutional,  among 
other  things. 

Some  people  might  dismiss  the 


SCO  shenanigans  as  irrelevant  to 
them  and  their  companies,  and  it 
might  not  be  directly  relevant  to 
companies  that  do  not  run  Linux 
or  open  source  software  (such  as 
Apache  Web  server)  that  relies  on 
some  type  of  open  source 
license.  But  even  those  folks 
should  be  concerned,  because  if 
SCO  succeeds  in  its  attack  on  the 
GPL,  we  will  all  have  fewer  choic¬ 
es  for  software.  Apple  OSX,  for 
example,  has  a  lot  of  open  source 
software  in  it. 

Even  so,  it  looks  like  we  do  not 
have  much  to  worry  about, 
because  SCO  may  not  be  around 
much  longer.  The  company  did 
not  have  a  good  end  to  2006  on 
either  the  legal  or  business  fronts. 

After  SCO  filed  its  final  set  of 
documents  supporting  its  claims, 
IBM  filed  a  series  of  motions  — 
with  more  than  590  exhibits  —  to 


dismiss  all  of  SCO’s  claims  and  to 
support  the  GPL.  Novell  filed  a 
motion  to  compel  SCO  to  pay 
back  royalties.  One  of  the  judges 
in  the  case  ruled  that  SCO  cannot 
augment  its  claims  against  IBM, 
because  the  deadline  has  passed 
and  the  SCO/Novell  suit  should 
get  tried  first  —  this  suit  could 
wind  up  with  SCO  not  owning  the 
rights  that  it  has  been  asserting 
against  IBM.And  Novell  has  asked 
the  court  to  let  it  order  SCO  to 
drop  many  of  SCO’s  claims 
against  IBM,  because  Novell  has  a 
contract  with  SCO  that  lets  it  do 
just  that  sort  of  thing. 

If  SCO’s  money  holds  out,  the 
Novell/SCO  trial  will  start  next 
September  and  the  SCO/IBM  trial 
in  2008  —  if  it  happens  at  all.  It 
looks  like  my  predictions  just  did 
not  take  into  account  the  slow¬ 
ness  of  the  U.S.  legal  system. 


Disclaimer:  I  know  of  no  Har¬ 
vard  opinion  on  this  short  —  rela¬ 
tive  to  Harvard’s  history  —  case, so 
the  above  opinion  must  be  mine. 

Bradner  is  Harvard  University's 
Technology  Security  Officer.  He  can 
be  reached  at  sob@sobco.com. 
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VIDEO  NETWORKS 


1 0  things  to  know  about  ’Net  video 


BY  TIM  GREENE 

T  leaders  need  to  stay  out  in  front  of 
Internet  video  technology  to  antici¬ 
pate  corporate  needs  and  the  require¬ 
ments  to  fulfill  those  needs  in  terms  of 
money  time,  expertise  and  infrastructure 
improvements. 

Businesses  can  benefit  in  several  ways 
from  the  technology  from  multicasting  cor¬ 
porate  announcements  to  videoconferenc¬ 
ing  to  content  on  Web  sites  that  can  help 
explain  products  and  services  to  cus¬ 
tomers. 

Technology  can  be  as  high  end  as  room- 
based  videoconferencing  systems  with 
spatial  audio  or  as  simple  as  Webcams 
attached  to  PCs  for  peer-to-peer  sessions. 
Vendors  offering  at  least  some  compo¬ 
nents  are  as  diverse  asTandberg,  Polycom, 
Cisco,  Microsoft,  Mitel,  Avaya  and  Nortel. 

Video  on  the  Internet  is  at  a  stage  of 
development  similar  to  where  VoIP  was  a 
few  years  ago,  as  technology  changes 
rapidly  and  as  businesses  and  regulators 
grapple  with  how  to  deal  with  it. 

Here  are  10  items  you  need  to  know 
about  video  on  the  Internet: 

Recognize  the  different  uses  of 
video. 

I  Networks  have  different  needs  if 
they  are  going  to  support  video  on  the 
Internet  for  educational  purposes  or  for 
videoconferencing,  as  compared  with 
streaming  presentations  presented  as  part 
of  Web  pages.  Videoconferencing  can  eat 
up  220Kbps  to  1Mbps  per  session,  depend¬ 
ing  on  video  quality.  Streaming  video  can 
eat  up  50Kbps  to  2Mbps,  depending  on 
quality. 

“How  high  end  do  you  want  to  go?”  asks 
Bruce  Wiatrak,  product  marketing  manager 
for  media  servers  at  Audiocodes.  “Do  you 
want  to  be  just  a  Webcam  and  a  PC,  or  are 
you  talking  a  full  room  system  for  video- 
conferencing  with  HDTV-type  quality?” 

Make  sure  network  infrastruc¬ 
ture  is  up  to  the  task. 

9  This  means  evaluating  how  the 
needs  of  videoconferencing  are  different 
from  users  accessing  streaming  video,  for 
instance. 

The  quality  of  connections  should  be 
checked  for  delay  packet  loss  and  jitter 
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even  if  the  company  has  successfully  im¬ 
plemented  a  VoIP  deployment.  VoIP  for 
example,  has  a  higher  tolerance  for  lost 
packets  than  video  has. 

The  best  way  to  evaluate  a  network  is  to 
simulate  the  exact  traffic  that  will  be  on  the 
network  and  see  how  it  performs,  says 
Kaynam  Hedayat,  vice  president  of  engi¬ 
neering  and  CTO  at  Brix  Networks,  which 
makes  gear  for  such  evaluations. 

Look  at  the  big  picture  if  net¬ 
work  upgrades  are  indicated. 

I  If  more  bandwidth  is  required 
for  video  as  well  as  other  new  applications, 
it  may  make  sense  to  go  for  a  full  network 
upgrade  that  supports  Gigabit  Ethernet  to 
the  desktop.  “The  best  case  is  you  don’t 
need  anything;  the  worst  case  is  you  need 
to  rearchitect,”  Hedayat  says. 

Build  on  existing  IP  and  collaboration 
platform  investments  is  the  advice  of 
Forrester  Research.“For  example,  Microsoft 
users  would  look  for  vendors  that  integrate 
with  [Live  Communication  Server] ,”  Forres¬ 
ter  says  in  a  recent  report. 

Put  the  technology  on  trial  - 
inexpensively,  if  possible  -  to 
■  discover  its  possibilities  and 
limitations. 

Testing  uses  for  video  can  be  relatively 
inexpensive,  says  IP  communications  en¬ 
trepreneur  Jeff  Pulver,  chairman  of  pul- 
ver.com.  High-quality  video  cameras  for  in- 
house  production  cost  less  than  $2,000, 
and  there  are  Web  sites  that  host  video  for 
free.'Tt’s  hard  to  compete  with  free,”  he  says. 

But  free  hosting  is  more  appropriate  for 
seeing  how  corporate  video  appears  on 
the  Internet,  not  for  live  sites,  he  says. 
“There’s  a  long  list  of  companies  that  will 
host  your  content  for  free,”  Pulver  says.“The 
big  gotcha  is  viewers  may  have  to  sit 
through  some  advertising.” 

Editing  suites  for  video  available  from 
Adobe  are  used  to  edit  major  motion  pic¬ 
tures  and  daily  TV  shows,  he  says,  but  train¬ 
ing  may  be  an  issue.'The  need  for  the  skill 
set  to  produce  quality  work  still  persists,” he 
says.“Pfeople  need  to  figure  out  the  type  of 
image  they  want  to  present  of  themselves 
and  whether  they  want  to  host  the  content 
themselves  or  go  to  third  parties.” 

Experiment  with  different  video 
coder-decoders. 

B  They  are  responsible  for  trans¬ 
lating  video  into  IP  and  they  compress 


video  at  varying  rates  to  use  up  more  or 
less  bandwidth.  Vendors  have  developed 
codecs  that  provide  better  quality  at  lower 
bandwidth,  but  the  best  way  to  know  what 
to  buy  is  to  view  samples  using  different 
ones.  The  goal  is  to  strike  a  balance 
between  acceptable  quality  and  the  cost  of 
providing  more  bandwidth.  The  rule  of 
thumb,  Hedayat  says,  is  to  shoot  for  the 
newest  technology  that  saves  the  most 
bandwidth  without  sacrificing  quality 

This  may  require  extra  effort.  “Expect 
some  issues  that  you  might  have  to  work 
with  the  vendor  on,”  he  says. 

Make  sure  other  network  traf¬ 
fic  doesn't  eat  away  at  video 

■  bandwidth  and  lessen  quality. 

Once  video  is  running,  it  is  important  to 
monitor  network  performance  so  quality 
remains  high  even  as  more  applications 
are  added  to  the  network  and  traffic  pat¬ 
terns  change.  If  bandwidth-hog  applica¬ 
tions  come  onto  the  network  and  contend 
with  video,  it  is  better  to  know  quickly  and 
figure  out  what  to  do  about  it.This  may  call 
for  bandwidth-management  gear,  separate 
virtual  LANs  or  boosting  backbone  speeds. 
“Networks  are  not  static,”  Hedayat  says. 

Remember  the  user. 

“Many  will  not  adopt  or  change 

■  their  current  mode  of  working 
without  clear  guidelines  on  how  to  gain 
the  most  value  out  of  the  features,”  says 
Elizabeth  Herrell,  an  analyst  with  Forrester 
Research  in  a  report  on  unified  communi¬ 
cations,  so  training  is  key 

Also, executives  should  be  encouraged  to 
experiment  with  video  so  they  can  better 
understand  the  potential  business  benefits 
of  using  the  technology,  Pulver  says. 

8  Non-Internet  video  may  be  nec¬ 
essary  for  certain  applications. 

I  This  is  more  expensive  than 
running  video  over  the  Internet,  but  it 
may  be  worthwhile  depending  on  the 
content  and  its  importance  to  business 
goals.  For  critical  site-to-site  IP  video 
within  corporate  networks  —  not  over 
the  Internet  —  seek  service-level  agree¬ 
ments  that  guarantee  bandwidth  that 
supports  traffic  without  degrading  video 
quality.  Best  are  dedicated  circuits  or 
MPLS  connections  that  can  support,  for 
example,  IP  multicasting  with  video-cal¬ 
iber  guarantees. 


Consider  bringing  video  pro¬ 
duction  in-house. 

I  The  cost  of  producing  video  via 
a  consultant  can  far  outstrip  the  cost  of 
doing  so  with  company-owned  resources 
and  expertise. 

“On  most  of  the  budgets  that  I’ve  seen, 
the  second  time  you  outsource,  you’ll 
pay  for  the  full-time  salary  of  one 
employee,”  Pulver  says. 

But  the  scale  of  the  video  deployment 
also  plays  a  role,  Audiocodes’  Wiatrak 
says.  “1  think  what  typically  happens  is 
very  large  enterprises  will  end  up  hosting 
things  themselves  for  cost  purposes  and 
smaller  enterprises  may  go  externally”  he 
says.  “I  don’t  know  what  the  exact  break¬ 
ing  point  is.” 

Smaller  businesses  cannot  afford  to  hire 
the  full-time  experts, so  must  go  to  external 
sources,  he  says. 

Keep  an  eye  on  regula¬ 
tions  pertaining  to  IP 
■  video. 

While  there  is  no  explicit 
regulation  of  video  on  the  Internet,  such 
regulations  could  arise  as  a  problem, 
Pulver  says. 

Just  as  regulators  came  to  equate  VoIP 
with  traditional  plain  old  telephone  ser¬ 
vice  (POTS),  video  also  could  fall  under 
scrutiny  of  the  Federal  Communications 
Commission,  he  says. 

“So  the  new  POTS  will  be  plain  old  tele¬ 
vision  service,”  he  says.  “As  the  consumer 
can’t  tell  the  difference  between  video 
content  delivered  over  the  Internet  and 
video  content  delivered  over  the  air  waves, 
I  think  we  have  an  issue  at  hand.” 

He  hopes  this  time  dialog  with  regulators 
and  an  understanding  of  the  core  technolo¬ 
gy  will  at  least  slow  down  regulations.  “It’s 
probably  inevitable  that  something  will  hap¬ 
pen,”  he  says.’Tt’s  just  a  matter  of  when.”B 


nww.com 

Video  conferencing  buyer’s  guide 

This  Buyer's  Guide  includes  information  about  prod¬ 
ucts  and  hosted  services  that  allow  parties  in  dis¬ 
parate  locations  to  conduct  conferences  that  entail 
using  voice,  video  and  data  collaboratively. 

www.nwdocfimler.coin/1108 


LURKING  IN  THE  EMPTINESS  THAT  MAKES  UP  70%  OF  YOUR  SERVER  STACKS. 


Discover  SUSE®  Linux  Enterprise  Server  10  from  Novell®.  Infrastructure  for  innovation™ 

It’s  the  infrastructure  you  need  to  harness  the  innovation  you’re  losing  managing  server  sprawl.  With  built-in 
virtualization,  advanced  clustering  capabilities  and  more  enterprise  applications,  all  fully  secure  and  fully 
supported,  SUSE  Linux  Enterprise  Server  10  makes  consolidating  servers  easy  and  affordable.  So  you  can 
fill  fewer  servers  with  more  performance.  Just  one  more  piece  of  the  Open  Enterprise:  all  the  infrastructure 
it  takes  to  innovate. 


Innovate  today  at  www.novell.com/linux 


Novell 

This  Is  Your  Open  Enterprise." 


Copyright  ©2006  Novell,  Inc.  All  rights  reserved.  Novell,  the  Novell  logo,  and  SUSE  are  registered  trademarks  and  This  Is  Your  Open  Enterprise  and  Infrastructure  for  innovation  are  trademarks  of  Novell, 
Inc.  in  the  United  States  and  other  countries.  'Linux  is  a  registered  trademark  of  Linus  Torvalds.  All  third-party  trademarks  are  the  property  of  their  respective  owners. 


Advertisement 


VoIP  Performance  Management: 

From  edge  to  core,  nobody  can  manage  your  VoIP  performance 
in  a  converged  environment  like  Fluke  Networks 


Fluke  Networks'  VoIP  Performance  Management  approach  is  unparalleled  with  the  breadth  of  visibility 
and  depth  of  analysis  our  solutions  provide  including  executive  level  reporting  to  drill  down  analysis 
troubleshooting.  Our  solutions  enable  organizations  to  successfully  deploy  and  manage  VoIP  to  leverage 
its  benefits  without  negatively  impacting  data  performance  within  a  converged  network  by  maximizing 
visibility  throughout  the  enterprise. 

As  the  only  vendor  to  provide  edge-to-core  visibility  through  alt  aspects  of  the  VoIP  lifecycle  from 
pre-assessment  to  ongoing  monitoring  and  management  to  planning  for  future  growth,  we  support 
the  management  of  VoIP,  data  applications  and  the  general  network  infrastructure.  This  is  critical  to 
enterprise  performance  management  as  voice  and  data  converge,  since  each  has  the  potential  to  impact 
the  other.  Having  network,  application,  and  VoIP-specific  analytics  allows  you  to  clearly  see  how  data 
traffic  is  affecting  call  quality,  and  how  VoIP  traffic  is  affecting  data  quality,  a  significant  advantage 
over  products  that  look  only  at  voice. 


VoIP  Performance  Management: 

Lifecycle  solutions  from  edge  to  core 

Having  a  strategic  plan  for  managing  VoIP  performance 
is  essential  to  success.  At  Fluke  Networks,  we've 
built  our  VoIP  solutions  to  give  network  managers 
edge-to-core  visibility  to  manage  the  entire  VoIP 
lifecycle  -  from  pre-deployment  assessment,  ongoing 
monitoring  and  management,  optimizing  and  planning 
for  future  growth.  Our  solutions  enable  you  to  measure 
infrastructure  effectiveness,  converge  voice  and  data, 
build  out  and  transition  new  networks,  and  quickly  zero 
in  on  application  performance  issues. 

We  call  this  approach  AMMO  -  Assess,  Monitor,  Manage 
and  Optimize  -  a  disciplined  set  of  best  practices  that 
leverage  the  benefits  of  high-performance  VoIP  in  a 
converged  network  and  maximize  the  value  of  the  entire 
infrastructure. 

Assess 

Is  your  infrastructure  prepared  to  deploy  and  support 
VoIP?  Without  a  complete  assessment  of  your  network 
infrastructure  from  LAN  and  WAN  to  desktops  and 
phones,  you  risk  major  performance  issues  -  both  with 
existing  applications  and  with  your  VoIP  rollout.  The 
steps  you  take  to  optimize  VoIP  in  this  first  phase  will 
lead  to  smoother  deployment,  higher  performance 
and  fewer  problems  throughout  the  entire  VoIP 
lifecycle.  Fluke  Network  VoIP  solutions  support  the 
pre-deployment  best  practices  needed  to: 

•  Assess  network  readiness. 

•  Observe  conversations  between  phone 
and  network. 

•  Verify  deployment. 

•  Establish  a  performance  baseline. 

Monitor 

Does  your  VoIP  call  quality  meet  your  goals?  Do  you 
have  the  network  visibility  to  address  VoIP  issues 
before  they  affect  end  users?  Once  you've  depLoyed 


VoIP,  monitoring  actual,  detailed  traffic  -  both  voice 
and  data  -  is  essentiaL  to  isolating  and  managing 
performance  issues  proactively. 

The  key  to  proactive  monitoring  is  in  identifying 
potential  issues  before  performance  is  actually  degraded 
and  impacts  end  users.  Having  a  standing  monitoring 
soLution  in  place  also  gives  you  a  complete  performance 
history,  so  you  can  quickly  identify  root  causes  and 
reduce  MTTR.  Ongoing  monitoring  can  be  conducted 
from  the  core,  individual  routers,  distributed  points  on 
the  network,  and  WAN  links. 

Manage 

VoIP  problems  have  many  causes  -  from  physical 
problems  on  the  local  loop  to  an  over-utilized  port  to 
mis-configured  class  of  service  (CoS)  settings  or  high 
levels  of  jitter  within  the  voice  application  itself.  Fluke 
Networks'  broad  management  and  troubleshooting 
strategy  gives  you  visibility  from  the  edge  phone  to 
the  WAN  link,  between  remote  locations,  and  from 
the  core  across  the  vista  of  your  entire  network.  This 
is  critical  to  isolating  the  cause  of  degradation  and 
reducing  MTTR  when  seconds  and  minutes  saved  often 
go  straight  to  the  bottom  line. 

With  VoIP,  it  is  especially  important  to  find  and  resolve 
intermittent  problems  before  they  grow  and  impact 
more  users.  Our  solutions  enable  network  managers  to 
troubleshoot  issues  ranging  from  the  local  loop  to  the 
port  to  service  level  parameters  across  every  site. 

Optimize 

Making  the  most  of  VoIP  is  an  ongoing  process  that 
requires  capacity  planning  and  traffic  management, 
baselining  performance,  and  continuous  improvement. 
Ultimately,  it's  a  matter  of  visibility  and  control.  For 
an  IT  manager  with  a  converged  network,  edge-to- 
core  management  information  is  critical  to  making 
control  decisions  that  improve  performance.  Instead  of 
guessing  what  might  be  impacting  performance. 


granular  visibility  is  needed  to  help  make  informed 
decisions  such  as: 

•  Increasing  bandwidth  to  handle  additional 
usage  caused  by  VoIP. 

•  Leveraging  and  fine-tuning  CoS  capabilities  with 
an  MPLS  deployment. 

•  Improving  service  level  parameters  from  the 
service  provider. 

•  Shaping  traffic  so  the  most  business-critical  and 
delay-sensitive  applications  have  priority. 

•  Eliminating  recreational  applications  such  as  file 
sharing  and  streaming  media. 

•  Building  the  physical  infrastructure  to  meet  the 
new  demands  for  a  converged  network. 

Essential  edge-to-core  visibility: 

Only  from  Fluke  Networks 

Fluke  Networks  developed  our  VoIP  Performance 
Management  approach  as  part  of  our  Enterprise 
Performance  Management  philosophy,  which  brings 
together  partnerships,  products  and  best  practices  that 
lead  to  high-performance  networks  -  and  enterprises. 
We  are  committed  to  helping  enterprises  deliver 
superior  application,  voice,  and  infrastructure  service 
by  maximizing  network  visibility  and  information 
intelligence  through  monitoring  and  managing 
performance  across  the  LAN,  WAN,  and  multi-tier 
network  environments. 

For  a  closer  look  at  the  essentials  to  VoIP  success  and 
the  only  suite  of  products  that  support  the  converged 
network  with  edge-to-core  visibility,  just  visit  the  VoIP 
Performance  Management  Solution  Center  web  site 

at  www.flukenetworks.com/voip  -  or  call  customer 
service  at  1-800-283-5853. 

For  more  information 

To  learn  more  about  application  performance  management  solutions, 
visit  www.flukenetworks.com/APM 

F=LUKE 

networks , 

•  •  •  •  • 
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TKHNOUMiY  UPDATE 

■  AN  INSIDE  LOOK  AT  TECHNOLOGIES  AND  STANDARDS 


■■■ 


Overlay  network  for  security  policies 


HOW  IT  WORKS:  Policy  &  Key  Manager 


\* . fnnnnnnn-1^1  ^  20.20.0.1 

Network  set 

^ . ...y.  (itnmnnrC$  C  2.“ 20.0.2 


PEP  C 


C  30.30.0.0 


The  Management  and  Policy  Server  (MAP)  provides  a  hub-and-spoke  network  security  policy,  where  Policy  Enforcement  Point  (PEP)  A  is  the  hub  and  PEP  B1, 
B2  and  C  are  spokes.  The  wide-area  unprotected  network  can  have  any  topology. 

The  Key  Authority  Point  (KAP)  generates  an  outbound  encryption  key  for  each  PEP.  That  key  then  becomes  an  inbound  key  for  the  other  PEPs. 

Next,  the  KAP  creates  the  security  associations  by  combining  the  keys  associated  with  the  policy  from  the  MAP. 

Then,  PEP  A  uses  the  same  outbound  key  to  encrypt  data  moving  from  networks  10.10.0.0  and  10.11.0.0  to  PEP  B1,  B2  and  C.  PEP  B1,  B2  and  C  then  use 
the  key  to  decrypt  the  data  coming  in  from  network  10.10.0.0  and  10.11.0.0. 


BY  SERGE-PAUL  CARRASCO 

One  way  to  ensure  the  security  of  busi¬ 
ness  transactions,  customer  data  and  intel¬ 
lectual  property  is  to  use  IPSec  to  provide 
data  encryption  and  authentication  ser¬ 
vices.  However,  the  management  of  IPSec 
policies  and  the  Internet  Key  Exchange 
protocol  —  which  is  used  for  the  authenti¬ 
cation  of  end  nodes  and  the  creation  of  the 
IPSec  security  associations  (SA)  —  present 
some  practical  deployment  limitations. 
These  constraints  can  be  addressed  using  a 
three-layer  approach  to  security 

IKE  is  complex  because  it  requires  a  con¬ 
nection  between  two  endpoints  and  com¬ 
pletion  of  a  key  negotiation.  IKE  cannot  be 
used  if  the  network  traffic  is  sent  from  point 
to  multipoint  or  multipoint  to  multipoint, 
because  there  is  no  single  pair  of  points 
that  can  perform  key  negotiation.  As  a  re¬ 
sult,  IKE  does  not  enable  the  scale  of  IPSec 
policies  for  large  networks.  For  example,  if  a 
network  has  100  IPSec  nodes  with  20  sub¬ 
nets  at  each  node,  the  number  of  SAs  could 
reach  79,200. 

Recently,  the  IETF  Multicast  Security 
(MSEC)  working  group  proposed  two  new 
protocols  for  key  distribution:  Group  Do¬ 
main  of  Interpretation  (GDOI)  RFC  3547 
and  Group  Secure  Association  Group  Ma¬ 
nagement  Protocol  (GSAKMP)  RFC  4534. 
These  efforts  are  limited  to  multicast. 
While  securing  multicast  communications 
is  essential,  data  privacy  must  be  provided 
over  any  network  topology,  including  point 
to  multipoint,  mesh,  and  hub-and-spoke, 
any  kind  of  IP  traffic,  including  unicast, 
multicast  and  broadcast. 

There  is,  however,  a  way  to  get  around  the 


limitations  of  the  proposed  IETF  protocols 
and  IPSec  with  IKE:  By  dividing  policy  and 
key  management  into  components  (a  man¬ 
agement  plane  and  a  control  plane)  sepa¬ 
rate  from  the  IPSec  Encapsulation  Security 
Payload  (ESP)  data  plane,  we  can  change 
the  fundamental  connection-oriented 
nature  of  IPSec  for  encryption  of  data  in 
motion.  The  resulting  three-layer  approach 
includes  the  following  components: 

Policy  enforcement  point:  PEP  devices 
still  exist  in  the  network  to  protect  traffic, 
but  rather  than  exchanging  keys  on  a  one- 
to-one  basis  using  IKE,  they  receive  their 
own  policies, keys  and  security  associations 
externally  from  a  centralized  entity 

Key  authority  point:  The  KAP  generates 
encryption  keys  and  SAs  associated  with 


policies  that  it  then  distributes  to  the  PEP 
units  and  peer  KAP  devices. 

Management  and  policy  server  The  MAP 
provides  network  policy  management  and 
policy  distribution  to  the  KAP  servers.  It 
also  can  interface  with  existing  network- 
based  AAA  services  to  provide  authentica¬ 
tion  of  the  endpoints,  enabling  the  enforce¬ 
ment  of  user  entitlement  through  security 
policies  and  encryption  keys. 

The  management  plane  or  policies  are 
not  defined  for  a  device,  but  for  an  end-to- 
end  network.  Multiple  PEPs  can  be 
grouped  together  over  the  same  policy  in 
order  to  encrypt  data  for  point-to-point, 
mesh,  and  hub  and  spoke  networks.  The 
control  plane  or  keys  are  shared  by  multi¬ 
ple  PEP  devices  in  multiple  paths  on  a 


resilient  network,  or  by  many  endpoints  in 
a  multicast  application. 

This  network  security  overlay  for  the  gen¬ 
eration  of  policies  and  keys  can  accommo¬ 
date  all  data-privacy  requirements  for 
resilient,  multicast  and  MPLS  networks,  and 
is  transparent  to  the  network  routing  and 
switching  infrastructure. 

However,  to  provide  universal  data  pro¬ 
tection,  it  must  be  designed  as  a  secure, 
resilient  and  scalable  system;  security  must 
be  implemented  at  the  unit,  system  and 
communication  layer;  resilient  key  opera¬ 
tions  must  be  provided;  and,  the  overlay 
must  scale  to  serve  hundreds  of  endpoints. 

Carrasco  is  a  senior  director  of  product 
management  for  CipherOptics. 


Ask  Dr.  Internet  By  Steve  Blass 


I’m  looking  for  some  good,  easy-to-use  PC 
videoconferencing  software  for  the  holidays. 
The  grandparents  can’t  make  the  trip  but  still 
want  to  visit  with  the  grandkids.  Both  parties 
have  a  computer,  Webcam  and  broadband 
connection.  What  do  you  recommend? 

If  you're  using  the  same  instant-messaging  soft¬ 
ware,  start  by  looking  at  the  video-chat  features  you 
might  already  have  available.  Microsoft,  Yahoo  and 
AOL  offer  video-chat  features  in  their  latest  IM 


clients.  A  variety  of  other  video-chat  programs,  such 
as  Paltalk  (www.paltalk.com),  iVisit  (www.ivisit.com) 
and  ICO  (www.icq.com),  are  available  for  download. 
For  best  results,  use  the  same  program  at  both  ends 
of  the  videoconference. 

Verify  that  both  computers  and  cameras  meet  the 
minimum  requirements  specified  by  the  software  and 
start  with  basic  text  messaging  to  get  the  contact 
lists  set  up  and  working. 

If  all  goes  well,  you  can  establish  voice  contact  next 
and  talk  your  way  through  getting  the  last  details  in 


place  so  that  the  Webcam  connection  and  video-mes¬ 
saging  features  will  work.  It  should  be  as  simple  as 
plugging  everything  in,  starting  the  messenger  soft¬ 
ware,  initiating  a  chat  connection  and  clicking  a 
Webcam  or  video  link  to  establish  your  videoconfer 
encing  session.  Providing  remote  technical  support  if 
something  goes  wrong  will  be  easiest  if  you  are  using 
nearly  identical  setups  on  both  ends. 

Blass  is  an  IT  manager  in  Phoenix  and  can  be 
reached  at  dr.internet@jschnee.com. 
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Introducing  the  Canon  imagePRESS  C7000VP.  For  a  totally  new  kind  of 
digital  production  printing  that  rivals  offset  quality. 


We’re  not  understating  the  case  when  we  say  it’s  going  to  break  new  ground 
in  digital  production  printing.  Presenting  Canon’s  new  brand  for  production, 
imagePRESS™.  The  imagePRESS  C7000VP  runs  at  70  letter-sized  pages 
per  minute  and  maintains  its  rated  speed  with  varying  paper  weights  for  most 
standard  paper  sizes,  including  11"  x  17"  and  13"  x  19".  The  Canon  imagePRESS  C7000VP 
is  also  a  digital  press,  delivering  quality  output  that  is  comparable  to  offset.  This  is  due,  in  part, 
to  Canon’s  Gloss  Optimization  technology,  which  outputs  images  to  match  the  gloss  of 
the  paper.  In  short,  this  isn’t  just  a  major  advancement.  The  Canon  imagePRESS  C7000VP. 
It’s  what’s  next  for  color. 
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Tableau:  PivotTable  on  steroids 


GEARHEAD 

INSIDE  THE 
NETWORK 
MACHINE 

Mark  Gibbs 


Last  week  we  were  intrigued  by 
the  Network  World  article  “Top  10 
tech  leaders”  (www.nwdocfinder 
.com/6444),  which  discussed  the 
results  of  a  survey  of  600  IT  execu¬ 
tives  who  were  asked  for  their  per¬ 
ceptions  of  various  attributes  of  30 
major  IT  vendors.  Attributes  includ¬ 
ed  such  things  as  the  superiority  of 
the  vendor’s  executive  manage¬ 
ment  and  its  leadership  qualities, 
technology  vision  and  role  as  a 
strategic  supplier.  The  survey  also 
gauged  buying  intentions. 

The  results  were  interesting.  IBM  was  perceived  as  being 
tops  in  executive  management,  leadership  qualities  and 
technology  vision,  while  Cisco  was  the  favorite  in  key  tech¬ 
nology  leadership  and  as  a  strategic  supplier.  Microsoft 
won  out  in  buying  intentions. 

After  reading  the  article  we  started  wondering  whether 
there  were  correlations  among  these  attributes.To  find  that 
out,  the  suitable  tools  seemed  to  be  Microsoft  Excel’s 
PivotTable  and  PivotChart. 

So,  we  tabulated  the  data  with  the  vendors’  names  in  the 
first  column  and  the  attribute  values  in  subsequent 
columns,  and  put  the  score  data  into  the  body.  We  then 
selected  the  entire  table  and  made  a  PivotChart.  Seemed 
like  a  good  idea,  but  to  make  a  long  story  short,  it  turns 
out  PivotTables  and  PivotCharts  aren’t  suitable  tools  for 


this  endeavor.  You  can’t  even  get  as  far  as  making  a  scat¬ 
ter  pot. 

Thus  it  was  that  we  turned  to  Tableau  Professional  Edition 
Version  2.1,  published  by  Tableau  Software.This  is  one  of  the 
finest  applications  we’ve  seen  this  year.  It  is  amazingly  fast; 
has  a  well-designed  user  interface  that  is  remarkably  intu¬ 
itive;  and, considering  its  complexity  it  is  stunningly  bug-free! 

After  opening  a  new  Tableau  workbook, you  connect  to  a 
data  source.  Your  choices  for  the  Professional  Edition  are 
Microsoft  Excel,  Microsoft  Access,  text  files,  MySQL,  MS  SQL 

It  is  amazingly  fast  and  . . . 
it  is  stunningly  bug-free. 

Server,  MS  Analysis  Services,  Oracle,  Hyperion  Essbase  and 
IBM  DB2  OLAP  Server. 

Once  you  have  opened  a  source,  the  data  will  be  split  by 
default  into  dimensions  (fields  containing  qualitative,  cate¬ 
gorical  information)  and  measures  (fields  containing 
numeric  or  quantitative  data).  Measures  are  used  as  axes 
for  the  rows  or  columns  in  a  table,  and  dimensions  create 
headers.  (Note  that  these  distinctions  are  far  more  complex 
when  you  are  dealing  with  relational  databases  where  you 
can  convert  from  measures  to  dimensions,  which  in  turn 
can  be  converted  into  continuous  quantities.) 

In  our  example,  opening  the  survey  data  spreadsheet  in 
Tableau  gave  us  eight  measures,  one  for  each  of  the  six 
attributes  plus  two  created  automatically  —  Measure 
Values  (a  collection  of  all  the  measures  of  your  data)  and 


Number  of  Records.  Two  dimensions  were  created  auto¬ 
matically  also  —  Vendor  (the  names  from  the  Vendors 
columns  of  the  original  table)  and  Measure  Names, a  listing 
of  all  those  names. 

We  dragged  Superior  Executive  Management  to  the 
columns  field  in  the  charting  area  and  Superior  Leader¬ 
ship  Qualities  to  the  rows  field.  Then  we  dragged  Vendor 
from  dimensions  into  the  chart  to  define  the  data  and 
dragged  Strategic  Supplier  to  the  size  field  and  Buying 
Intentions  to  the  color  field.Voila!  One  scatter  chart  com¬ 
paring  those  attributes,  as  we  had  originally  had  wanted! 

Unfortunately  this  chart  didn’t  show  us  anything  interest¬ 
ing,  but  plotting  the  Key  Technology  Leader  and  the 
Superior  Technology  Vision  measures  showed  that  compa¬ 
nies  that  score  high  in  one  attribute  score  high  in  the  other. 

These  are  trivial  examples  of  what  Tableau  can  do,  how¬ 
ever.  To  appreciate  how  powerful  the  software  is,  check  out 
the  product  tour  (www.nwdocfinder.com/6399). 

Tableau  Professional  Edition  costs  $1,800,  the  Professional 
Edition  (MySQL)  version  (data  sources  are  limited  to 
MySQL,  Excel,  MS  Access  and  text  files)  is  $1,300,  and 
Standard  Edition  (data  sources  are  limited  to  Excel,  MS 
Access,  and  text  files)  is  $  1 ,000. All  versions  include  one  year 
of  upgrades  and  support.  A  free  30-day  trial  is  available. 

This  is  a  tool  anyone  doing  serious  quantitative  analysis 
cannot  live  without. 

Send  your  analysis  to  gearhead@gibbs.com  or  on 
Gibbsblog. 


The  scoop:  M685-E  note¬ 
book,  by  Gateway,  about 
$1,800. 

What  it  is:  The  small-business  notebook  line 
from  Gateway  has  been  updated  —  the  M685-E 
includes  the  latest  Intel  Core  2  Duo  processors 
(T5500),  along  with  a  17-inch  display  (WXGA  res¬ 
olution).  The  8-pound  notebook  has  512MB  of 
memory,  a  100GB  hard  drive,  DVD  burner,  four  USB 
2.0  ports,  an  IEEE  1394  port  and  an  NVIDIA  GeForce 
Go  7600  graphics  card  with  128MB  of  video  memory  The 
notebook  includes  a  Gigabit  Ethernet  port  and  Despite  an  odd-feeling  key- 
integrated  802.1  la/g  wireless  connectivity  and  is  board,  the  M685-E  is  a  nice, 

wide  enough  to  include  a  10-key  keypad  in  addi-  powerful  business  notebook, 

tion  to  its  full-size  keyboard. 

Why  it’s  cool:  The  notebook  offers  the  latest  in  power  and  memory  to  let  users 
multitask  their  applications  without  having  to  upgrade  to  a  supersized  multimedia 
entertainment  notebook  or  (shudder)  a  gaming  notebook.This  looks  and  feels  like 
a  normal  notebook,  although  the  17-inch  display  will  make  users’ co-workers  a  bit 
jealous.  1  loved  the  addition  of  the  10-key  keypad;  that’s  something  normally  not 
found  on  a  notebook. 

Some  caveats:  Something  on  the  surface  of  the  keypad  made  me  feel  like  I  was 
typing  on  sandpaper —  it  was  very  disconcerting  after  a  while.The  notebook  tends 
to  get  hot  after  a  lot  of  work, so  investing  in  an  appropriate  notebook  cooling  system 
is  recommended. There’s  also  no  external  volume  control,  so  adjusting  the  sounds 
in  some  applications  has  to  be  done  through  the  PC. 

Grade:  ★  ★★★  (out  of  five) 


The  scoop:  YP-K5  digital  music  player,  by  Samsung,  about  $180  (for  2GB)  or 
$230  (4GB). 

What  it  is:  The  iPod-nano-sized  YP-K5  doesn’t  look  like  a  normal  digital  music 
player  —  the  blocky  black  brick  looks  more  like  an  LG  Chocolate  cell  phone.The 
extra  bulk  is  for  the  built-in  external  speakers  —  they  open  up  with  a  flick  of  the 
wrist,  making  listening  to  digital  music  a  group  experience.  Selecting  songs  and 
moving  through  the  device’s  interface  is  done  through  an  organic  light  emitting 
diode  (OLED)  touch  pad  (no  buttons  to  press),  which  also  reminded  me  of  the 
Chocolate  phone.  Besides  music,  the  YP-K5  plays  FM  radio  broadcasts,  displays 
photos  and  acts  as  an  alarm  clock.  Samsung  promises  about  30  hours  of  battery 
life.  Recharging  is  done  through  a  USB  cable;  for  that,  the  YP-K5  needs  to  be  con¬ 
nected  to  a  computer. 

Why  it’s  cool:  The  integrated  speakers  are  a 
nice  addition  to  a  device  that  lets  users 
decide  whether  they  want  to  listen  to  music  via 
headphones  or  just  open  it  up  and  share  their 
love  of“Funkytown”with  friends.The  system  is 
priced  competitively  with  other  players  with  the 
same  capacity  and  the  sound  quality  was  very 
good,  especially  from  the  built-in  speakers. 

Some  caveats:  1  couldn’t  get  the  FM  radio  tuner  to 
pick  up  a  signal,  but  others’ experience  may  differ.  The 
Samsung  media  software,  which  helps  transfer  files 
from  a  PC  to  the  device,  got  hijacked  by  Windows 
Media  Player  (which  wants  to  control  the  music 
library), so  I  ended  up  with  two  copies  of  each  song  on  the  device. 

Grade: 


Samsung's  K5  music  player 
includes  its  own  speakers. 


Shaw  can  be  reached  at  kshaw@nww.com.  New  Cool  Tools  video  every 
Thursday,  and  Twisted  Pair  podcast  every  Friday  at  www.  network 
world.com. 
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IF  YOU’RE  CONSIDERING  VOICE  OVER  IP  TELEPHONY,  CONSIDER 

your  options:  Only  Foundry  Networks  gives  you  a  true 

VENDOR  AGNOSTIC  SOLUTION  THAT  WORKS  WITH  THE  EQUIPMENT 
YOU  CHOOSE  -  OR  ALREADY  HAVE.  SO  WHETHER  YOU’RE  USING 

Avaya,  Siemens,  Cisco  or  Nortel,  Foundry  networks  gives 

VOICE  TO  YOUR  NETWORK! 


Fastlron  SuperX 


4  EJECT  POE 


4  EJECT, POE 


4  EJECT  SYS 


Reject  sys 


Foundry’s  integrated  Power  over  Ethernet-  and  Quality  of  Service-based  switches  deliver  the 
most  scalable,  secure  VoIP  architecture,  with  the  lowest  latency  and  highest  performance  for  both 
wired  and  wireless  IP  telephony.  Foundry  supports  all  the  VoIP  features  you  need,  including  auto¬ 
matic  phone  discovery,  embedded  endpoint  security,  dynamic  L2-3  QoS  support  and  wireless 
mobility.  And  only  Foundry  lets  you  select  best-of-breed  or  low-cost  IP  phones,  conferencing, 
PBX,  and  voice/ media  gateway  solutions  and  be  assured  of  full  compatibility. 


FOUNDRY 

NETWORKS 

The  Power  of  Performance ™ 


WANT  VOIP?  GET  FOUNDRY.  NO  COMPROMISE. 


Visit  us  Today  at  www.foundrynetworks.com/voip 
OR  CALL  US:  1  BBS  TURBOLAN 
International:  +  1  40B.5B6.1700 


Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solutions  including  Layer  2/  3 
LAN  switches,  Layer  3  Backbone  switches,  Layer  4-7  Web  switches,  wireless  LAN  and  access  points,  access  routers  and  Metro  routers. 

©  2005  Foundry  Networks,  the  Foundry  logo,  Fastlron  SuperX, The  Power  of  Performance  and  Foundry  are  trademarks  of  Foundry  Networks,  Inc. 

All  other  marks  are  trademarks  of  their  respective  owners. 
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.INFRASTRUCTURE  LOG 

_DAY  25:  They’re  in  the  cafeteria!!  AAAGGGHHH!!  These 
useless  things  can’t  work  with  each  other.  They  aren’t 
scalable.  They  aren’t  responsive.  And  you  can’t  adjust 
new  capacity  on  the  fly.  The  horror. 

_So  many  of  them,  I  have  to  eat  standing  up.  My  arches 
are  killing  me.  And  I  got  avocado  on  my  shirt. 

_DAY  26:  The  answer:  IBM  BladeCenter®  with  Dual-Core 
Intel®  Xeon®  Processors  to  boost  performance  and  balance 
workloads.  Its  self-automating  features  make  it  easy 
to  manage,  and  it  has  more  blades  per  chassis  for  a 
smaller  footprint.  The  BladeCenter  even  opened  up  its 
specs,  so  the  things  we  buy  today  can  work  with  the 
things  we  buy  tomorrow. 

_I  can  eat  my  turkey-avocado  sandwiches  in  peace  again. 
Mmmmm . . . 
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A  peek  inside 
Sun  Labs  research 


We  got  a  glimpse  into  the  wide-ranging  work  going  on  at 
Sun  Microsystems  Laboratories  in  Burlington,  Mass., 
last  week, which  includes  everything  from  core  systems 
science  to  developments  in  online  gaming  and  collaboration. 

Vice  President  and  Sun  Fellow  Robert  Sproull  says  the  Labs 
employs  150  and  gets  2%  of  Suns  roughly  $2  billion  in  R&D 
money  per  year.  Of  all  the  projects  underway,  60%  to  70%  are 
software  development  efforts,  he  estimates. 

The  Labs  primarily  focuses  on  technologies  that  will  aid 
Suns  business  units  —  but  some  research  takes  the  compa¬ 
ny  in  new  directions,  such  as  gaming. 

Karl  Haberl  is  the  research  director  on  Project  Darkstar, 
which  he  describes  as  a  software  platform  for  the  develop¬ 
ment  of  massively  multiplayer  online  games  (MMOG). 

While  MMOGs  are  hugely  popular  —  World  of  Warcraft  has 
7  million  subscribers  —  the  complexity  of  the  back-end  sys¬ 
tems  limits  which  vendors  can  enter  the  market  and  imposes 
limitations  on  what  players  can  do  in  the  virtual  world. 

Haberl  says  games  today  are  sharded,  meaning  particular 
servers  handle  different  parts  of  the  world  and  can  support 
only  so  many  players.  Besides  being  an  imposition  on  play¬ 
ers,  a  server  failure  is  a  business  liability 
Sun  is  working  on  a  shardless  approach  —  players  can 
wander  where  they  will  —  that  has  low  latency  is  scalable 
and  fault  tolerant,  and  supports  load  balancing.  Just  as  im¬ 
portant,  this  approach  provides  a  layer  of  abstraction  to 
hide  the  complexity  of  programming  to  a  multithreaded 
environment  that  supports  transaction  and  data  integrity 
and  persistence.  The  programmer  doesn’t  have  to  worry 
about  explicitly  locking  and  unlocking  objects.That  may 
lower  the  bar  and  encourage  more  companies  to  enter  the 
gaming  market,  Haberl  says. 

In  terms  of  commercializing  the  technology  it  could  be 
sold  to  a  game-hosting  company  or  used  by  Sun  to  enter 
that  market.The  Labs  doesn’t  cross  that  path  until  the  work 
is  more  fuily  baked. 

Another  technology  the  company  demonstrated  was  an 
audioconferencing  tool  built  in  Java  that  has  some  interest¬ 
ing  features.  For  example,  users  can  start  a  private  voice- 
chat  session  with  any  conference  attendee  and  still  hear 
the  conference  session  in  the  background,  and  adjust  the 
audio  level  for  any  individual  participant.  Users  also  can 
migrate  the  conference  call  to  a  cell  phone  if  they  have  to 
hit  the  road.  All  sensible  advances. 

Principal  Investigator  Nicole  Yankelovich  says  she  hopes 
some  pieces  of  the  project  end  up  in  production,  but  she 
won’t  venture  a  guess  as  to  where  and  how. That’s  life  as  a 
research  scientist. 

—  John  Dix 
Editor  in  chief 
jdix@nww.com 
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Don't  forget  HP 

Regarding  “Are  Cisco  switches  really  so  expen¬ 
sive?”  (www.nwdocfinder.com/642 l):You  appear  to 
have  left  out  HPThis  omission  is  conspicuous  be¬ 
cause  1)  you  get  free  software  upgrades  for  life,  2) 
you  get  free  next-day  replacement  for  life, 3)  HP  has 
a  Cisco  CL1  emulation  mode  that  makes  it  cake  to 
use  if  you  know  Cisco  and  4)  HP  switches  cost  less 
to  purchase  in  the  first  place. 

When  it  was  time  to  replace  our  aging  Baystack 
gear  last  year,  1  chose  HP  over  Cisco  for  the  above 
reasons  and  have  not  looked  back.TCO  and  value 
wise,  HP  wins  hands  down. 

Joe  Pampel 
Redding,  Conn. 

Vague  neutrality 

I  usually  agree  with  Johna  Till  Johnson,  but  her 
column  “Nuances  matter  in  net  neutrality”  (www 
.nwdocfinder.com/6423)  left  me  perplexed.  Why 
would  Google  support  net-neutrality  regulations? 
They  developed  Google  video,  purchased  YouTube 
for  $1.65  billion  and  signed  content  agreements 
with  Universal,  Warner  Music  Group,  Vivendi,  the 
NHL  and  others.  But  with  AT&T  offering  Internet 
television  on  demand  in  its  Homezone  package, 
can  Google  compete?  Only  if  their  content  is  not 
further  degraded. 

Johnson  is  right  that  net  neutrality  is  still  a  vague 
concept.  There’s  almost  no  way  to  tell  if  content  is 
being  intentionally  degraded,  and  it  may  be  difficult 
to  enforce  legislation  specific  enough  to  address 
real-world  problems.  However,  it  is  important  that  we 
have  a  fair  and  level  playing  field. 

Whether  content  is  charged  per  bit  or  per  packet, 
the  price  should  be  the  same  for  any  player.  A 
typical  market  incentive  is  volume  discounts,  not 


volume  overcharges. 

Net  neutrality  may  end  up  being  decided  in 
myriad  individual  court  cases  relating  to  anti¬ 
competitive  practices,  or  in  government  antitrust 
action.  But  the  idea  that  carriers  such  as  AT&T  are 
investing  billions  in  a  “money-losing  endeavor”  is 
ridiculous.Video  is  the  next  phase  of  the  Internet, 
and  it  requires  infrastructure  expansion  and 
investment.  Net  neutrality  means  that  all  players 
in  the  video  over  Internet  market  receive  a  fair 
price  as  well  as  reasonable  and  enforceable  qual- 
ity-of-service  agreements. 

Fred  Pierre 
CEO 
Data  Doctor 

Kent,  Ohio 

Wrestling  with  spam 

In  his  letter  to  the  editor  titled  “Slippery  spam 
slope”  (www.nwdocfinder.com/6422),  Larry  Hun¬ 
tington  suggests  that  we  can’t  do  anything  about 
spam  because  we  don’t  know  how  to  define  it 
specifically  and  legally.  Well,  my  Google  Gmail 
account  catches  about  50  spams  per  day  and  sel¬ 
dom  makes  a  mistake.  Julian  Haight,  founder  of 
SpamCop,  comes  to  mind  as  one  who  knows 
how  to  define  spam  after  having  worked  with  it 
for  years. 

We  will  never  know  how  to  handle  spam  until  we 
wade  into  the  swamp  and  start  wrestling  with  it. 
Apparently  there  are  those  who  still  believe  that 
money  can  be  made  from  spam.  If  we  remove  the 
money  motivation, spam  will  disappear. 

Jim  Jordan 
Sacramento 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 1 8  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 
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INFRASTRUCTURE 
INSIGHTS 
Daniel  Minoli 


Metro  Ethernet  Where’s  the  beef? 


Metro  Ethernet  is  not  new:  It’s  been  around 
for  more  than  20  years  in  various  mani¬ 
festations.  It  started  out  in  the  mid-1980s 
as  ISDN’s  central  office-based  LAN;  then  came 
IEEE  802.6  and  SMDS.  The  early  1990s  saw  the 
deployment  of  point-to-point  Metro  Ethernet,  fol¬ 
lowed  by  ATM-based  multipoint  services.  The 
early  2000s  saw  the  launch  of  several  next-gen¬ 
eration  carriers  offering  services  based  on 
metro-level  optics  for  Gigabit  Ethernet  with  vir¬ 
tual  LANs  or  next-generation  SONET.  Other 
approaches  have  emerged  based  on  Resilient 
Packet  Ring.  Recently  we’ve  seen  some  standard¬ 
ization  by  way  of  the  Metro  Ethernet  Forum. 

So,  where  is  Metro  Ethernet  now?  Certainly  there 
is  a  lot  of  hype  about  it,  but  we  have  seen  over  the 
years  that  the  value  of  a  technology  is  inversely 
proportional  to  the  amount  of  trade  press  hype. 

Metro  Ethernet’s  main  applications  have  been 
broadband  Internet  access  and  virtual  private¬ 
line  service  among  corporate  sites.  Using  Metro 
Ethernet  is  less  expensive  than  using  router 
blades  to  connect  to  SONET  links.  But  intercon¬ 
nection  agreements  between  carriers  are  hard  to 
find,  even  with  the  larger  providers.  Other  solu¬ 
tions  abound,  including  MPLS,  IRVPN  and  ATM. 


Penetration  also  has  been  relatively  slow,  for  sev¬ 
eral  reasons.  Fiber  access  is  still  limited  to  a  frac¬ 
tion  of  all  Class  A  buildings.The  performance  and 
service-level  agreements  are  not  yet  carrier  grade, 
though  progress  has  been  made.  Long-haul  Ether¬ 
net  services  are  not  yet  generally  available. 
Carrier-to-carrier  interfaces  have  not  yet  become 
widely  available,  which  is  an  issue  for  users  with 
locations  served  by  different  Metro  Ethernet 

I  remain  reasonably 
optimistic  about  Metro 
Ethernet’s  value  to 
enterprise  users. 

providers.  A  few  years  ago  there  were  a  number  of 
Metro  Ethernet  providers,  such  as  Infoport  Com¬ 
munications  and  Yipes,  but  a  tough  marketplace 
showed  that  it  is  difficult  to  compete  against 
providers  that  have  a  solid  infrastructure  devel¬ 
oped  over  decades.  Many  of  the  start-ups  are  gone 
or  have  altered  the  business  model  they  follow. 

What  it  takes  to  make  carrier-level  Metro  Ether¬ 
net  real  is  the  deployment  of  high-reliability, 
operationally  sophisticated  network  elements 


throughout  the  infrastructure.  Carriers  have  de¬ 
ployed  a  couple  of  million  SONET  network  ele¬ 
ments  at  a  cost  of  $100  billion.  Carriers  are  not 
motivated  to  declare  end-of-life  for  this  equip- 
ment.What  technology  developers  do  not  under¬ 
stand  about  the  carrier’s  environment  is  that  the 
(amortized)  cost  of  equipment  is  usually  5%  of 
the  total  cost  of  delivering  a  service;  up  to  30%  of 
the  cost  is  in  the  operations  support  side.  Hence, 
for  a  technology  to  be  successful,  it  is  less  impor¬ 
tant  that  the  equipment  is  cheaper  or  that  the 
bandwidth  use  is  more  efficient  than  that  it  cuts 
the  operations  cost  by  a  healthy  amount.  I  re¬ 
main  reasonably  optimistic  about  Metro  Ether¬ 
net’s  value  to  enterprise  users,  but  what  we  need 
is  less  hype,  fewer  acronyms,  less  emphasis  on 
the  cost  of  the  network  elements  and  bandwidth 
savings,  and  more  emphasis  on  operational 
capabilities  of  the  network  elements,  QoS  and 
security  Stay  tuned. 

Minoli  is  an  adjunct  professor  in  the  Stevens 
Institute  of  Technology's  graduate  school  and  is 
co-author  of  several  books  about  metropolitan- 
area  networks.  He  can  be  reached  at  minoli 
@att.net. 
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Daniel  Briere 


Unlocking  ruling  rings  in  more  cellular  chaos 


Last  month  the  U.S. Copyright  Office  put  into 
effect  a  ruling  that  allows  cell  phone  users  to 
unlock  their  phones.  Effectively  this  ruling 
will  allow  —  if  not  easily  enable  —  a  user  to  take 
any  phone  from  one  network  to  another  (com¬ 
patible)  network,  even  if  the  original  carrier  put 
software  locks  in  place  to  prevent  this. 

The  ruling  makes  consumer  advocates  and 
many  users  happy  —  no  one  likes  to  spend 
money  on  a  device  (even  a  highly  subsidized 
one,  such  as  a  mobile  phone)  and  then  be  limit¬ 
ed  in  its  use.  So  from  this  perspective,  the  ruling  is 
both  welcomed  and  a  bit  surprising,  as  the  vast 
majority  of  Digital  Millennium  Copyright  Act  rul¬ 
ings  have  been  biased  against  the  consumer. 

From  an  IT  perspective  —  although  it’s  a  bit 
early  to  know  exactly  how  many  parties  will  react 
—  the  ruling  may  well  turn  out  to  be  a  mixed 
blessing,  at  least  for  those  who  don’t  prepare  for  it. 

I’m  sure  many  IT  managers,  like  individual  con¬ 
sumers,  will  welcome  the  ability  to  take  fuller 
advantage  of  intercarrier  competition  and  num¬ 
ber  portability  and  will  use  this  ruling  to  leverage 
existing  devices  on  optimized  rate  plans  across 
different  carriers.  Given  the  cost  of  business-class 
smart  phone  devices,  the  $20  or  $30  required  to 
unlock  a  phone  is  a  minor  expense.  And  purchas¬ 
ing  new  phones  unlocked  out  of  the  box  might 
cost  a  bit  more  upfront  but  may  provide  an  enter¬ 
prise  with  an  opportunity  to  standardize  on  a  sin¬ 
gle  handset  while  still  offering  choice  of  carriers 
based  on  employee  geography  and  use. 

But  there’s  a  “but”  here  —  because  this  ruling 


could  herald  some  potential  “gotchas”  that  bear 
some  consideration  and  planning. 

First  and  foremost  will  be  the  possible  impact 
on  carriers  and  their  pricing  models  for  handsets. 
Handset  pricing  to  the  user  is  heavily  subsidized. 
Yes,  contracts  are  used  to  lock  customers  into  the 
service,  but  the  devices  themselves  are  also  tied  to 
services  and  carriers  by  their  software  locks. 
When  these  go  away  carriers  probably  will  have 
to  take  one  of  two  approaches:  make  their  con¬ 
tracts  even  more  ironclad  and  contractually  lock 
in  customers  for  long  terms,  or  abandon  the  sub- 

The  most  worrisome  issue 
...  is  that  so  many  users 
view  their  corporate  cell 
phones  as  their  own. 

sidies  and  charge  customers  something  closer  to 
their  own  costs  for  handsets.  Neither  of  these  pos¬ 
sibilities  is  going  to  be  what  the  enterprise  IT  or 
telecom  manager  wants.  Unlocking  a  phone  may 
also  void  its  warranty  making  support  issues  fall  to 
the  customer  and  not  the  carrier. 

Another  possible  impact  will  be  on  security 
Many  carriers  lock  out  not  only  the  ability  to 
move  a  phone  to  another  carrier  but  also  specific 
functionalities  and  features  inherent  to  the 
phone,  such  as  disabling  certain  Bluetooth  func¬ 
tionalities  and  cameras.  Carriers  do  this  for  their 
own  revenue-related  reasons  —  for  example,  dis¬ 


abling  Bluetooth  to  force  you  to  pay  for  MMS 
photo  transfers  instead  of  just  beaming  pictures  to 
a  PC  —  and  this  can  really  tick  off  consumers 
(witness  the  class-action  suit  against  Verizon 
Wireless  for  Bluetooth  feature  disablement).  But 
these  feature  disablements  may  provide  the  user 
with  a  degree  of  device  security  on  the  cheap  — 
using  the  earlier  example,  disabling  Bluetooth  file 
transfers  may  keep  employees  from  syncing  cor¬ 
porate  data  with  their  home  PCs. 

What  may  be  worrying  (and  potentially  more 
liberating)  is  the  possibility  that  unlocked  phones 
will  be  more  open  not  only  to  new  networks  but 
also  new  applications.  IT  managers  may  find  that 
unlocked  phones  are  more  likely  to  be  outfitted 
with  potentially  unauthorized  applications  — 
potentially  exposing  corporate  data. 

But  the  most  worrisome  issue  from  an  IT  per¬ 
spective  is  that  so  many  users  view  their  corporate 
cell  phones  as  their  own  devices  that  they  can  do 
with  as  they  will.There  will  be  all  sorts  of  new  sites 
flaunting  the  benefits  of  opening  your  phone  and 
loading  more  things  onto  it.This  is  another  break 
in  the  levee  that  was  already  causing  IT  managers 
grief. You  need  to  get  in  front  of  this  issue,  track  it 
and  understand  its  impact  on  your  firm. 
Otherwise, you’re  going  to  find  out  about  it  in  ways 
you  did  not  think  possible. 

Briere  is  CEO  of  TeleChoice,  a  market  strategy 
consultancy  for  the  telecommunications  industry. 
He  can  be  reached  at  telecom  catalyst  @tele 
choice.com. 
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Register  your  site  with  Facilitate  discovery 

top  search  engines  of  your  website 


Gain  valuable  knowledge 
for  online  success 


1&1's  Simple  Submission  automatically 
submits  2  URLs  to  major  search  engines 
on  a  monthly  basis.  Try  our  upgraded 
version  for  a  free  90  day  trial  to  analyze 
your  keywords,  monitor  your  site's  ranking, 
compare  your  site  to  the  competition  and 
so  much  more.  Take  your  site  to  the  next 
level. 


Create  a  sitemap  for  free  with  Google 
Webmaster  Tools  via  your  1&1  Control 
Panel.  Sitemaps  is  a  web  developer  tool 
that  provides  Google  with  up  to  date 
information  to  crawl  your  website  faster 
and  more  efficiently.  Enable  easy  discovery 
of  information  on  your  site  and  improve 
the  search  experience  of  your  visitors. 


Online  Success  for  Non-Techies 
teaches  you  how  to  quickly  and  easily 
develop  a  successful  website  for  your 
business,  hobby  or  profession  that  ranks 
highly  on  the  major  search  engines.  This 
informative  book  by  successful  Internet 
entrepreneur  James  Martell  is  included 
with  your  1&1  shared  hosting  package. 


or  visit  us  now 
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THRUST  SSC  (SUPER  SONIC  CAR)  SETTING  THE  LAND  SPEED  RECORD  ON  OCTOBER  15,  1997  IN  THE  BLACK  ROCK  DESERT,  NEVADA. 


Introducing  the  industry’s  highest  performance  Ethernet 
switch  family  ready  to  deliver  wire-speed  non-blocking 
performance  to  1.14  billion  packets  per  second  (or  up  to 
3.42  bpps  per  7-foot  telco  rack).  Foundry’s  Biglron  RX  Series 
offers  the  highest  density  Gigabit  and  10  Gigabit  Ethernet 
switching  and  routing  solution  in  the  industry  and  is  built  on  a 
distributed  and  redundant  switch  architecture  that  ships  ready  to 
support  100  Gigabit  Ethernet.  Featuring  support  for  scalable 
Ethernet  switching,  IPv4/IPv6  routing,  consistent  low  latency 
for  all  packet  sizes  and  advanced  quality  of  service  design,  the 
Biglron  IOC  Series  meets  and  exceeds  the  needs  of  a  wide  range 
of  environments  including  Enterprise  LAN,  HPC,  MANS,  and 
next  generation  data  centers. 


BIGIRGN  RX-  1  S 


BlGlRON  RX-B 


FOUNDRY 

NETWORKS 

The  Po  wer  o  f  Performance  ™ 


BlGlRON  RX-4 


FIND  OUT  MORE  ABOUT  THE  BlGlRON  RX  SERIES  AND  HOW 
YOU  CAN  REDEFINE  PERFORMANCE  AND  RELIABILITY  IN  YOUR 
NETWORK.  LOG  ON  TO  WWW.FOUNDRYNET.COM/BlGlRONRX. 
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Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solutions  including  Layer  2/3  LAN  switches. 
Layer  3  Backbone  switches.  Layer  4-7  Web  switches,  wireless  LAN  and  access  points,  access  routers  and  Metro  routers.  Foundry’s  8,500  customers  include  the  world  s  premier  ISPs,  metro  service 
providers,  and  enterprises  including  e-commerce  sites,  universities,  entertainment,  health  and  wellness,  government,  financial,  and  manufacturing  companies. 

C1  2005  Foundry  Networks*,  the  Foundry  logo.  The  Power  of  Performance™,  Foundry™,  and  Biglron*  RX  Series  are  trademarks  of  2005  Foundry  Networks,  Inc. 

All  Rights  Reserved.  All  other  marks  are  trademarks  of  their  respective  owners. 
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Patch  management  products 
move  toward  remediation 

Test  shows  BigFix,  McAfee  and  PatchLink  lead  in  easing  remediation  woes 


Patch  management  products  have  evolved  from  simply  pushing  out  patches 
to  now  encompassing  more  preemptive  security  measures,  including  manip¬ 
ulating  security  configuration  settings,  deploying  standard  software  pack¬ 
ages,  maintaining  policy  compliance  and  taking  an  active  role  in  vulnera- 


BY  MANDY  ANDRESS,  NETWORK  WORLD  LAB  ALLIANCE 


bility  remediation. 

In  this  Clear  Choice  Test  we  evaluated  six  products  previ¬ 
ously  rooted  in  patch  management  that  now  claim  to  help 
ease  remediation  activities.  All  told,  we  tested  Altiris’  Client 
Security  Management  Suite,  BigFix’s  Enterprise  Suite,  Kace 
Networks’  KBOX,  LANDesk  Softwares  Security  Suite, 
McAfee’s  (formerly  Citadel  Security’s)  Hercules  and  Patch- 
Link’s  Update. 

BigFix  Enterprise  Suite  came  out  on  top  as  the  Clear 
Choice  winner,  performing  well  in  all  categories  and  stand¬ 
ing  out  in  ease  of  use  and  customization  capabilities. 
McAfee’s  Hercules  was  a  close  second,  falling  slightly 
behind  in  its  customization  capabilities.  PatchLink  Update 
rounds  out  the  top  three. While  it  lacks  some  native  support 
for  advanced  customization  and  reporting  capabilities  we 
were  looking  for  in  a  product  of  this  class,  PatchLink  does 
make  these  functions  available  in  add-on  components. 

We  tested  five  key  areas  of  each  product: 

•  Remediation  functionality  tests  exercised  how  well  a 
product  could  remedy  a  system  issue  through  support  for 
the  operating  system  overall,  via  patches,  registry  key  and 
other  configuration  changes.  Additionally  we  assessed 
how  it  facilitated  manual  and  scheduled  remediation 
tasks  and  whether  it  offered  the  ability  to  create  custom 
remediation  tasks. 

•  Remediation  ticketing/workflow  tests  examined  how 
well  a  product  could  implement  a  remediation  process, 
including  end-to-end  management  of  the  cycle. 

•  Reporting  tests  evaluated  how  well  a  product  could  pro¬ 
vide  useful  information,  through  default  and  custom 
reports,  on  remediation  tasks  to  administrators  and  man¬ 
agement  personnel. 

•  Access  control  tests  examined  how  access  to  the 
product  could  be  controlled,  focusing  on  flexibility, 
granularity  and  integration  with  standard  enterprise 
user  repositories. 

•  Product  management  and  administration  tests  focused 
on  what  you  need  to  do  to  use  the  product  on  a  daily  basis 
and  keep  it  running. 

Here  are  the  details  of  how  each  product  fared  in  our 
testing  (see  “How  we  did  it,”  page  40,  for  a  detailed  test 
methodology). 


Altiris 

The  Altiris  Client  Security  Management  Suite  6.1  com¬ 
prises  SecurityExpressions  —  a  tool  that  provides  the  abil¬ 
ity  to  check  security  configuration  and  compliance  settings 
and  then  remediate  those  issues,  Endpoint  Security  Local 
Security  and  Application  Control  modules.  Patch  Manage¬ 
ment  is  provided  as  a  separate  component.  This  combina¬ 
tion  of  modules  runs  on  the  foundation  architecture  called 
the  Altiris  Notification  Server.  We  focused  on  the 
SecurityExpressions  and  Patch  Management  components 
because  that  combination  fulfilled  the  test  criteria. 

Altiris’  combined  modules  handled  all  the  basic  remedi¬ 
ation  functionality  we  were  looking  for,  excelling  in  the 
ability  to  create  custom  checks,  such  as  for  a  specific  reg¬ 
istry  key  setting,  and  remediation  actions,  such  as  changing 
a  registry  key  setting. 

SecurityExpressions  is  not  fully  integrated  into  the  Altiris 
system.  For  example,  policy  development  in  Secu¬ 
rityExpressions  still  occurs  through  a  separate  console,  but 
policy  checks  can  be  seen  in  the  Altiris  console.  Because 
SecurityExpressions  is  the  heart  of  vulnerability  remedia¬ 
tion,  we  would  like  to  see  these  fully  integrated  so  that  cre¬ 
ation  of  policy  and  configuration  checks  follow  the  same 
interface  and  process  as  other  Altiris  products. 

Likewise,  we  would  like  to  see  Patch  Management  includ¬ 
ed  as  part  of  the  overall  Client  Security  Management  Suite 
because  it  is  an  integral  piece  of  the  remediation  scheme. 

Management  of  all  the  modules  occurs  through  a  Web- 
based  console,  which  was  cumbersome  to  use.  It  was  diffi¬ 
cult  to  perform  simple  tasks,  such  as  scheduling  a  patch 
deployment.  The  management  console  provides  several 
dashboards  showing  charts  and  graphs,  such  as  missing 
patches  based  on  criticality  The  graphs  do  not  provide  the 
ability  to  directly  drill  down  to  see  the  corresponding  data. 
This  would  be  a  nice  addition  to  make  the  process  of  iden¬ 
tifying  security  details  more  efficient. 

Patch  deployment  settings,  including  reboot  control  and 
user  notification,  are  handled  through  configuration  poli¬ 
cies.  Administrators  define  a  policy  on  how  patches  should 
be  deployed. This  is  good  if  your  settings  are  the  same  for 
every  deployment,  but  requires  some  additional  work  if  you 


need  to  deploy  a  patch  comprising  different  settings.  We 
had  a  hard  time  finding  the  settings  in  the  console  and  doc¬ 
umentation,  a  condition  which  required  that  we  contact 
customer  support. 

We  also  must  note  that  Altiris  does  not  support  more 
advanced  patch-deployment  options  available  in  other 
products,  such  as  pause  or  deferral. 

Access  control  is  tied  to  the  underlying  Windows  groups 
and  is  administered  from  the  product  console,  so  it  is  easy 
to  integrate  with  enterprise  roles  and  identity  management 
processes.  A  few  default  roles,  such  as  Administrator  and 
Guest,  are  included,  and  administrators  can  create  their 
own  custom  roles.  Permissions  are  assigned  to  each  of  the 
roles  and  can  be  very  detailed.  However,  the  user  interface 
for  setting  security  permissions  means  there  is  some  lack  of 
centralized  control.  You  grant  access  from  the  properties 
tab  for  different  objects  as  opposed  to  defining  access  con¬ 
trol  from  a  centralized  point.  For  example,  if  you  want  to 
provide  access  to  reports,  you  go  to  the  Reports  permission 
tab  and  make  the  necessary  changes. 

The  reporting  engine  provides  basic  functionality  but 
could  be  improved.  We  were  able  to  schedule  report  runs 
and  create  standard  reports  showing  missing  Windows 
patches  and  remediation  actions  taken.  Exporting  reports  is 
not  available  within  the  management  console.  A  separate 
utility  called  ImportExportUtil  is  available  to  export  data 
from  the  notification  server. Trend  reports  should  be  avail¬ 
able  in  the  next  version,  according  to  the  vendor. 

BigFix 

The  BigFix  Enterprise  Suite  comprises  the  BigFix  Server 
and  management  console,  with  agents  running  on  client 
systems.The  management  console  is  a  thick-client  console 
that  runs  on  most  Windows  platforms  and  is  accessed  by 
administrators  with  the  appropriate  credentials.  Reports  are 
available  through  a  Web-based  reporting  system.  For  test¬ 
ing,  we  installed  all  management  components  on  a  single 
server,  but  they  can  be  distributed  and  scaled  easily 

BigFix  easily  handled  basic  remediation  functions  in  this 
test.  While  the  product  supports  hundreds  of  system  checks 
out  of  the  box,  BigFix  excels  in  its  ability  to  support  custom 
checks  and  custom  deployments.  Administrators  can  cre¬ 
ate  customized  Fixlets,  the  BigFix  term  for  checks  and 
remediation  actions,  with  almost  infinite  possibility. 

Usability  also  is  a  big  win  for  BigFix,  with  easy  right-click 
selection  for  deploying  a  fix  on  the  fly.  Actions  can  be 
scheduled  and  security  baselines  defined  to  ensure  sys¬ 
tems  adhere  to  defined  policies  and  standards.  In  our  test¬ 
ing,  BigFix  was  the  easiest  product  to  navigate  and  use. 

BigFix  provided  the  best  options  for  deploying  patches, 
covering  the  standard  reboot  notification,  and  user  sup¬ 
pression  options.  BigFix  also  provided  some  options  not 
available  in  other  products  we  reviewed, such  as  the  ability 
to  define  a  specific  system  criteria  or  attribute  to  provide 
additional  detail  controls  for  the  remediation  measures  we 
were  deploying.  For  example,  we  were  able  to  define  that  a 
system  must  match  a  specific  Active  Directory  path  before 
the  desired  remediation  action  would  take  place. 

There  is  a  wizard  available  to  create  a  patch  deploy¬ 
ment  rollback,  which  helps  ease  the  process  but  is  a  little 
cumbersome. 

One  area  where  BigFix  could  use  some  improvement  is 

See  Remediation,  page  3S 


LONDON  STOCK  EXCHANGE  CHOOSES 
WINDOWS  OVER  LINUX  FOR  RELIABILITY 


THE  HEADQUARTERS  BUILDING  of  the  London  Stock  Exchange,  located  in  London’s  Paternoster  Square. 


Microsoft 


dtabk  Slimes 


www.microsoft.com/getthefacts 


By  MICHAEL  BETTENDORF 

LONDON,  Oct.  2006 — When  an  IT  system 
must  process  15  million  real-time  messages  per  day, 
with  peaks  at  2,000  messages  per  second,  even  one 
second  of  downtime  counts.  That’s  the  pressure  the 
London  Stock  Exchange  faced  when  building 
Infolect,  the  Exchange’s  real-time  stock-ticker 
information  delivery  system. 

The  solution  had  to  have  rock-solid  reliability, 
nothing  less.  “Reliability  is  one  of  the  key  attributes 
of  the  Exchange  in  its  technology  systems.  These 
systems  have  to  work  every  day,  24/7,  to  make  sure 
the  markets  are  there,”  said  CIO  David  Lester,  who 
evaluated  both  Linux  and  Microsoft®  Windows 
Server®  2003  for  the  Exchange’s  core  technology 
systems.  “We  looked  at  a  number  of  different  plat¬ 
forms  for  our  Technology  Roadmap,  and  we  lined 
up  our  business  requirements  with  the  capabilities 
of  those  platforms,  and  Windows  Server  was  the 
clear  choice.” 

In  Lester’s  view,  long-term  reliability  is  a  func¬ 
tion  of  a  solid  relationship:  “We  wanted  a  deep  part¬ 
nership  with  an  organization  that  could  deliver  the 
kind  of  mission-critical  technology  that  we  need¬ 
ed,  and  we  felt  Microsoft  delivered  just  that.” 

For  the  full  London  Stock  Exchange  case  study, 
plus  other  case  studies  and  independent  research 
findings  on  the  reliability  of  Windows  Server  versus 
Linux,  visit  microsoft.com/getthefacts 


BREAKING  NEWS:  London  Stock 
Exchange  Achieves  Record  Reliability 

London  Stock  Exchange  CIO  David  Lester 
(above)  cites  Windows  Server  as  key  to  main¬ 
taining  system  reliability  and  performance. 


LESTER  SPEAKS  OUT: 

“We  looked  at  a  number  of  different  platforms 
for  our  Technology  Roadmap,  and  we  lined  up 
our  business  requirements  with  the  capabilities  of 
those  platforms,  and  Windows  Server  was  the 
clear  choice .” 

-David  Lester,  CIO,  London  Stock  Exchange 

JOURNALISM  BEAT:  Continued  growth 
for  reliability-focused  newspapers  A  world- 
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Reliability  Is  Key  in  the 
“World’s  Capital  Market” 
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No  time  to  spare? 


No  time  to  compare? 


Introducing  Network  World's 
Living  IT  Buyer's  Guides  on 
networkworld.com 

•  Enterprise-grade  IT  products  and 
services 

•  Thousands  of  details,  hundreds 
of  products,  continually  updated 

•  In-depth  searchable  database 

•  Fast  side-by-side  product  comparisons 

•  Clear  Choice  Test  Results 


www.networkworld.com/buyersguides 


NETWORKWQRLD 


Remediation 

continued  from  page  35 


12,11.06  •  www.netwnrkworld.com  •  39 


NetResults 


Product 

Altiris  Client  Security 
Management  Suite  6.2 

BigFix  riUi'/iiMilllTi] 

“n*irPcrioe  iCLWRCHoittlpl 

Kace  3.0  (KBOX  1000  Series) 

Vendor 

Altiris 

www.altiris.com 

BigFix 

www.bigfix.com 

Kace  Networks 

www.kace.com 

Price 

Starts  at  $88  per  node  plus  $69 
per  node  for  patch  management. 

$40  per  seat,  per  year. 

Starts  at  $9,500. 

Pros 

Client  Security  Management 
Suite  adds  endpoint  security  and 
application  security  in  a  single 
client, 

Best  reporting;  Custom  Fixlets 
enable  custom  remediation 
actions;  very  easy  to  use. 

Appliance  model  allows  for  quick 
stetup;  ticketing  supported; 
alerting  service  is  unique. 

Cons 

Security  Expressions  not  fully 
integrated  into  suite;  patch 
deployment  configuration  lacks 
advanced  options. 

Detailed  access  control  could 
be  improved. 

Security  components  seem  to 
take  a  back  seat  to  ticket  system 
and  software  distribution. 

Score 

3.7 

4.4 

3.4 

Product 

LANDesk  Security  Suite  8.7 

McAfee  (formerly  Citadel) 
Hercules  Remediation  Manager 

PatchLink  Update  6.3 

Vendor 

LANDesk  Software 

www.landesk.com 

McAfee 

www.mcafee.com 

PatchLink 

www.patchlink.com 

Price 

Starts  at  $59  per  node. 

I 

$75,800  as  tested,  includes 
licensing  and  support  for  500 
workstations  and  100  servers, 

$1,495  per  server  and  $18  per 
node. 

Pros 

Based  on  strong  foundation 
Management  Suite,  which  allows 
for  adding  additional  LANDesk 
services  on  a  single  platform. 

Best  interface;  detailed  access 
control. 

Strong  complement  of  default 
reports  that  can  be  easily  filtered 
based  on  key  criteria;  detailed 
access  control. 

Cons 

Difficult  to  navigate  with  poor 
user  interface;  custom  scripting 
language  required  for  custom 
remediation. 

Custom  report  engine  not  fully 
integrated  into  the  product  and 
is  difficult  to  use. 

Separate  components  to  get  full 
custom  packages  and  reporting. 

Score 

3.88 

4.35 

4.25 

The  Breakdown 

BigFix 

McAfee 

PatchLink 

LANDesk 

Altiris 

Kace 

Remediation  functionality  30% 

5 

4.5 

4.5 

4.5 

5 

4.5 

Product  management  and  administration  25% 

5 

4.5 

5  3.5 

2.5 

4 

Remediation  workflow  15% 

3 

3.5 

3.5 

3 

2.5 

3.5 

Access  control  15% 

3 

5 

4.5 

4 

4.5 

1.5 

Reporting  15% 

5 

4 

3 

4 

3.5 

2 

Total  score 

4.4 

4.35 

4.25 

3.88 

3.7 

3.4 

Scoring  Key:  5:  Exceptional:  4:  Very  good:  3:  Average:  2:  Below  average;  1:  Subpar  or  not  available 


access  control.  The  product  includes  only  three  roles  and 
offers  only  the  ability  to  control  a  few  user  privileges. 

The  Web-based  reporting  system  was  the  best  we  tested, 
providing  an  intuitive  interface  to  create  standard  reports 
and  flexibility  to  create  custom  reports.  Reports  can  be 
exported  to  multiple  formats  and  scheduled,  with  results  e- 
mailed  upon  completion. 

BigFix’s  visualization  tool  is  an  added  bonus  that  maps 
your  network  into  a  sphere  for  better  viewing.  This  pro¬ 
vides  the  ability  to  identify  changing  trends  in  your  envi¬ 
ronment,  such  as  visualizing  which  systems  do  not  have  a 
specific  patch  installed. This  could  help  assist  in  pinpoint¬ 
ing  a  network  segment  or  remote  office  that  is  not  updat¬ 
ing  properly. 

McAfee  (formerly  Citadel) 

Hercules  —  which  has  always  been  a  remediation  prod¬ 
uct  at  its  core  —  comprises  the  core  Hercules  Server;  the 
Channel  Server,  which  handles  communication  with  the 
core  server;  and  the  Download  Server,  which  stays  in  sync 
with  new  vulnerabilities  and  remedies  made  available  by 
the  company  The  product  uses  Microsoft’s  SQL  Reporting 
Services  as  its  report  engine. The  Hercules  agent  resides  on 
client  systems. 

The  management  interface  was  one  of  the  easiest  tested. 
One  of  the  best  features  was  the  quick  start  module  that 
walked  us  through  all  the  key  actions  needed  to  use  the 
system, such  as  deploying  agents, performing  system  inven¬ 
tory,  launching  security  assessments  and  creating  reports. 
The  documentation  provided  by  Hercules  was  excellent, 
accurate  and  easy  to  follow,  serving  as  a  great  resource 
through  our  review  process. 

Access  control  is  the  strength  of  the  McAfee  package. 
Custom  roles  can  be  created,  with  each  role  having  the 
ability  to  be  assigned  any  subset  of  more  than  70  identified 
tasks.  This  provides  the  flexibility  to  create  access  controls 
that  best  fit  with  an  organization’s  structure.  For  example, 
you  can  create  a  role  for  a  subset  of  your  Windows  server 
management  team  and  provide  team  members  only  the 
specific  tasks  they  need  to  perform. 

Remediation  functions  worked  well, supporting  all  of  our 
key  actions.  One  note  is  that  while  Hercules  supports  the 
creation  of  custom  remedies,  detection  is  not  as  easily 
defined  as  in  other  products  tested.  For  example,  you  can 
create  a  remedy  to  run  a  script  or  change  a  registry  key  set¬ 
ting,  but  you  cannot  easily  create  a  custom  vulnerability 
check  to  define  how  to  examine  the  system  to  see  if  the 
remediation  action  needs  to  be  performed. 

Deployments  of  remediation  actions  were  easy  to  per¬ 
form,  for  both  manual  and  scheduled  tasks.  For  manual 
tasks,  you  select  the  option  from  the  right-click  menu;  for 
scheduled  tasks, you  only  have  to  walk  through  a  wizard. 

For  patch  deployment  options,  Hercules  supports  stan¬ 
dard  settings,  such  as  user  deferral  and  user  messages,  but 
it  does  not  support  some  of  the  advanced  options,  such  as 
limiting  number  of  deferrals  or  amount  of  time  to  delay  a 
remediation  action. 

Reporting  is  one  area  where  Hercules  could  use  some 
improvement.  The  ability  to  schedule  canned  reports  and 
create  custom  reports  is  available,  but  those  tasks  are  done 
through  SQL  Reporting  Services,  not  through  the  Hercules 
product  itself. These  tasks  should  be  better  integrated  into 
the  Hercules  console  for  improved  ease  of  use. 

Kace 

Kace  KBOX  is  an  appliance-based  solution  that  com¬ 
bines  patch  deployment,  software  distribution,  vulnera¬ 
bility  assessment  and  help  desk  ticketing  services.  This 


product  is  positioned  as  an  all-in-one  solution  for  the 
small  to  midsize  enterprise. 

Compared  with  other  products  we  tested,  functionality 
user  interface  and  reporting  capabilities  are  not  as 
advanced.  Administration  is  handled  through  a  browser- 
based  interface  that  is  not  intuitive  or  easy  to  navigate  with¬ 
out  training. 

Kace  supports  the  standard  remediation  functionality  we 
tested,  with  the  exception  of  wide  operating  system  support 
as  it  maintains  only  Windows  systems.  Patches,  configura¬ 
tion  changes,  software  deployments  and  custom  scripts  are 
defined  and  deployed  by  the  system  as  advertised. 

User  authentication  can  be  integrated  with  a  central 
repository  such  as  Lightweight  Directory  Access  Protocol, 
but  the  access  control  thus  facilitated  is  minimal.  The  sys¬ 
tem  allows  for  only  three  access  roles, with  no  ability  to  add 
your  own.You  also  cannot  modify  function  assignments. 


A  number  of  default  reports  are  included,  but  only  a  small 
subset  relates  to  patch  and  remediation  deployments.  A 
larger  number  of  the  reports  deal  with  the  ticketing  system, 
handing  out  reports  on  tickets  per  user  and  time  to  closure 
per  ticket,  for  example. Custom  reports  are  available,  but  the 
user  needs  to  write  the  specific  SQL  query  that  will  gener¬ 
ate  the  desired  report. 

The  help  desk  ticketing  system  —  where  users  can 
submit  requests, such  as  my  computer  won’t  start,!  need 
to  have  Visio  installed,  I  can’t  access  the  Internet  —  is  a 
nice  feature,  but  we  would  like  to  see  increased  reme¬ 
diation  integration  and  workflow  capabilities.  The  sys¬ 
tem  has  a  unique  feature  in  that  it  can  generate  a  num¬ 
ber  of  alerts,  such  as  alerts  calling  for  specific  adminis¬ 
trative  actions. 

We  would  not  recommend  KBOX  as  a  stand-alone  enter¬ 
prise  remediation  tool,  but  a  company  looking  for  a  cost- 
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effective  solution  to  handle  software  deployment,  license 
tracking,  system  configuration  and  help  desk  ticketing 
would  do  well  to  evaluate  this  product. 

LANDesk 

LANDesk  Security  Suite  runs  as  a  component  of  the  foun¬ 
dation  LANDesk  Management  Suite.  While  this  product 
handles  many  of  the  functions  we  tested,  its  overall  usabili¬ 
ty  is  poor,  and  it  was  challenging  to  navigate. We  referred  fre¬ 
quently  to  the  product  documentation,  which  also  was 
hard  to  follow.  It  did  not  contain  any  tutorial  screenshots, 
and  trying  to  follow  the  documented  steps  often  resulted  in 
looking  for  menu  items  or  screens  that  did  not  exist. 

LANDesk  supports  all  operating  system  platforms  and 
remediation  functionality  included  in  our  test,  but  support 
for  non-Windows  platforms  is  limited.  One  example  is  the 
inability  to  handle  bandwidth  detection  for  Unix  systems, a 
feature  that  is  available  with  the  Windows  agent.  While 
LANDesk  supports  custom  scripts,  an  unnamed  custom 
scripting  language  is  used  to  create  them, so  administrators 
have  an  increased  learning  curve  for  this  functionality 

The  ability  to  send  alerts  when  configuration  changes 
are  made  or  patches  are  missing  from  monitored  systems 
is  well  integrated  into  the  product  and  supports  multiple 
communications  media  including  SNMP  and  e-mail. 
LANDesk  rollback  capabilities  are  driven  solely  by  the 
patches  deployed.  Even  if  remediation  is  driven  by  a  vul¬ 
nerability  that  contains  multiple  patches,  you  cannot  roll 
back  by  vulnerability;  you  must  roll  back  the  individual 
patches  comprising  the  vulnerability  remediation  action. 

Access  control  functionality  meets  our  overall  criteria  for 
our  tests,  but  usability  and  administration  could  be  easier. 
Scopes  are  defined  to  identify  what  particular  users  can 
access,  as  well  as  what  functions  they  can  complete  once 
they  have  accessed  those  machines.  For  example,  you  can 
specify  that  Windows  administrators  can  access  only 
Windows  systems,  and  not  the  Unix  systems,  and  only 
install  Windows  patches  once  they’ve  hit  the  machines.  We 
would  like  to  see  more  options  in  the  functions  allowed  to 
each  administrator  because  that  would  help  provide 
increased  security  administration  detail. 

LANDesk  supports  sending  alerts  on  defined  events,  patch 
rollback  and  many  deployment  configuration  options.  For 
example,  administrators  can  show  scan  progress,  defer 
install, send  messages  to  users,  allow  cancellation,  and  con¬ 
trol  bandwidth  consumption  on  deployments. 

Reporting  capabilities  shipped  with  the  Security  Suite  are 
strong.  Multiple  formats  (pdf,html,xls)  are  available,  reports 
can  be  scheduled  and  we  were  able  to  create  most  of  our 
test  reports.  We  would  like  to  see  the  ability  to  select  time 
frames  for  report  generation, a  function  available  in  many  of 
the  other  products.  Creating  custom  reports  is  supported 
through  the  custom  report  designer  utility  a  tool  we  found 
to  be  complex  to  use  but  very  complete  in  its  functionality. 

LANDesk  Security  Suite  has  the  functionality,  but  using 
the  product  is  difficult.  Several  other  products  we  tested, 
such  as  BigFix,do  a  better  job  combining  strong  technical 
functionality  with  ease  of  use  and  administration. 


Patch  management  Buyer’s  Guide 


This  Buyer’s  Guide  comprises  both  patch  management  and  vulner¬ 
ability  management  Toois.  These  products  can  be  single-function 
offerings  or  can  be  part  of  a  multifunction  suite  of  products  that 
offer  patch  management,  vulnerability  assessment  and  remediation 
measures. 

wwtoKdecfmdtr.com/1976 


How  we  did  it 


11  products  we  installed  for  testing  used  Windows 
2003  Enterprise  Edition  running  on  a  server  with 
a  2.5GHz  CPU  and  2GB  of  RAM.  Altiris  and 
PatchLink  each  supplied  VMware  images  of  their  prod¬ 
ucts,  which  we  ran  on  the  same  Win  2003  system  in 
partitioned  instances. Kace  supplied  an  appliance  run¬ 
ning  its  KBOX  software. 

Agents  supplied  by  each  vendor  were  deployed  to 
client  systems  running  Windows  XP  or  Red  Hat 
Enterprise  Linux. 

Once  installed,  we  tested  each  product’s  ability  to 
handle  patch  deployments,  registry  key  changes,  sys¬ 
tem  configuration  changes  and  other  software  deploy¬ 
ments.  We  launched  these  changes  manually  or  sched¬ 
uled  remediation  to  happen  at  a  future  point  in  time. 
In  our  deployment  tests,  we  examined  options  includ¬ 
ing  reboot  control,  sending  user  messages  and  user 
deferrals.  We  also  created  a  custom  check  to  search  for 
a  specific  registry  key  and  run  a  script  if  the  key  was 
not  found. 

For  reporting,  we  attempted  to  create  a  report  show¬ 
ing  missing  Windows  security  patches,  remediation 
actions  taken  for  a  specific  computer  and  remediation 
actions  taken  over  a  period  of  time  for  all  computers. 
We  also  tried  to  create  a  report  showing  time  to  reme- 


PatchLink 

For  this  test,  PatchLink  submitted  PatchLink  Update  6.3, its 
newest  release.  While  this  product  contains  aspects  of  all 
the  functionality  we  tested,  PatchLink  has  add-on  compo¬ 
nents  that  would  further  enhance  its  offering, such  as  enter¬ 
prise  reporting  services  and  the  developer’s  kit.  Overall, 
PatchLink  Update  is  a  very  solid  remediation  product  that 
should  be  included  on  anyone’s  short  list. 

PatchLink  Update  is  a  Web-based  system  with  almost  all 
administration  occurring  through  the  browser-based  inter¬ 
face,  which  is  easy  to  navigate  and  understand. The  excep¬ 
tion  lies  in  the  software  agent  management  center,  which 
helps  deploy  and  manage  agent  software  distribution. 
Agents  can  be  deployed  through  the  Web  interface,  but  this 
additional  software  helps  with  bulk  distribution. 

All  of  the  remediation  functionality  we  required  for  this 
test  was  available  and  worked  well.  Multiple  operating  sys¬ 
tem  support,  software  deployment,  registry  key  changes 
and  configuration  changes,  are  all  available. 

Manual  and  scheduled  remediation  services  are  avail¬ 
able  and  worked  as  advertised  in  our  testing.  Setup  is  han¬ 
dled  through  a  wizard  process,  making  it  easy  for  first-time 
users  and  ensuring  no  steps  are  missed.  For  custom 
changes,  PatchLink  Update  supports  creating  packages  for 
deployment,  similar  to  McAfee  remedies.  What  you  cannot 
do  in  the  base  product  is  create  a  vulnerability  check  that 
can  tell  you  which  systems  need  to  have  this  task  deployed. 
For  example,  if  a  system  has  a  registry  key  that  can  tell  you 
if  the  software  version  needs  to  be  updated,  you  cannot 
perform  that  check  with  a  custom  package  until  you  pur¬ 
chase  the  developer’s  kit,  according  to  the  company 

Most  remediation  in  PatchLink  occurs  through  a  wizard 
that  steps  the  user  through  the  processes,  such  as  schedul¬ 
ing  a  deployment  or  creating  a  package.This  prevents  users 
from  forgetting  critical  steps  in  the  process,  such  as  check¬ 
ing  deployment  settings  before  pushing  an  update. 

The  reporting  facility  in  PatchLink  Update  is  a  collection 
of  approximately  20  predefined  reports,  but  this  appears  to 
be  a  comprehensive  list  that  could  be  manipulated  with 


diation  from  first  identified  date  and  to  create  custom 
reports,  which  are  defined  as  something  not  available 
in  the  default  reports. 

We  then  tested  access  control,  focusing  on  how 
administrators  can  delegate  actions. We  endeavored  to 
create  custom  roles  and  define  access  to  allow  a  user 
to  perform  only  the  functions  required  for  their  specif¬ 
ic  duties.The  more  detailed  the  options,  the  better  we 
were  able  to  achieve  this  goal. 

We  also  tested  remediation  workflow,  looking  for 
approvals,  tracking  tasks  and  sending  alerts  when 
events  occur.  We  looked  for  the  ability  to  roll  back 
changes  in  the  event  something  happens  and  the 
change  needs  to  be  backed  out  immediately 

Finally  we  assessed  overall  product  administration.We 
evaluated  the  overall  user  experience  and  how  easy  or 
difficult  it  was  to  perform  our  tests.  We  took  into 
account  how  easy  it  was  for  us  to  look  at  the  product 
and  see  what  the  critical  remediation  tasks  were  at  any 
given  time.  Was  a  summary  dashboard  provided  with  a 
quick  view  of  current  state,  or  did  we  need  to  drill  down 
into  multiple  screens  or  run  a  report  to  see  this  infor¬ 
mation?  We  reviewed  documentation  to  evaluate  how 
well  it  mapped  to  the  product  and  how  it  helped  when 
we  had  questions  on  how  the  product  functioned. 


quite  a  bit  of  flexibility  We  were  able  to  create  all  of  our 
reports  during  testing,  except  one  that  shows  time  to  reme¬ 
diation  for  an  issue  from  initial  detection.  Additionally,  you 
can  go  into  the  console  and  create  a  report  based  on  a 
defined  time  frame,  but  you  cannot  schedule  a  report  to 
run  on  a  recurring  basis  with  the  results  automatically 
e-mailed  to  you,  for  example. 

Access  control  is  very  detailed  and  flexible.  Only  a  hand¬ 
ful  of  roles  are  defined  by  default,  but  administrators  can 
create  more  roles  via  the  Web  management  console. 
Function  assignments  for  these  roles  are  very  detailed  so 
that  user  access  is  limited  to  necessary  functions. 

Conclusion 

Overall,  these  patch  management  products  have  ade¬ 
quately  expanded  their  horizons  to  help  remediate 
general  security  concerns  across  deployed  systems.  But 
we  would  like  to  see  them  keep  moving  along  in  the 
right  direction. 

Specifically  as  compliance  requirements  and  change 
management  processes  continue  to  grow  in  importance  in 
organizations,  we  would  like  to  see  these  products  expand 
their  remediation  workflow  functionality  (which  was  rather 
weak  across  the  board  in  this  test)  to  track  approvals  nec¬ 
essary  to  complete  the  remediation  tasks.  For  example, 
when  a  new  vulnerability  is  identified  on  a  system  requir¬ 
ing  remediation,  the  process  by  which  the  remediation 
should  occur,  the  manager  approving  the  remediation  mea¬ 
sures,  and  the  technician  taking  remediation  actions 
should  all  be  tracked  by  the  system.  Playing  to  that  same 
compliance  requirement  argument,  the  reporting  capabili¬ 
ties  of  these  products,  while  much  improved  over  standard 
patch  management  tools  of  old,  need  to  improve  to  pro¬ 
vide  the  flexibility  required  for  both  the  technical  and  busi¬ 
ness  arms  of  enterprise  organizations. 

Andress  is  president  ofArcSec  Technologies ,  a  security  com¬ 
pany  focusing  on  product  reviews  and  analysis.  She  can  be 
reached  at  mandy@arcsec.com. 
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CLEAR  CHOICE 


A1 0  provides  simple, 
ID-based  provisioning  tool 


$20,000  per  appliance. 

Pros:  Quick  setup,  not  overly  complex;  IP-to-ID- 
mapping  very  unique. 

Cons:  Grammar  errors  and  typos  within  the  GUI; 
user  interface  cumbersome  to  use  at 
times.  Lacks  advance  workflow  options. 


Identity-based  network-account  provisioning  processes  have  been  marred 
by  overly  complex  tools,  the  costs  for  which  traditionally  have  been  difficult 
to  justify  Our  Clear  Choice  Test  of  A10  Networks’  IDSentrie  shows  this  soft¬ 
ware  package  bucks  both  trends:  It  provides  a  simple  tool  for  provisioning 
accounts  and  synchronizing  passwords  across  multiple  repositories  and  en¬ 
ables  user  self-service,  with  relatively  low  associated  deployment  costs. 


BY  MANDY  ANDRESS,  NETWORK  WORLD  LAB  ALLIANCE 


Overall,  we  found  AlO’s  IDSentrie  to  be  a  good  fit  for  small 
to  midsize  businesses  looking  for  core  provisioning  func¬ 
tionality  Core  provisioning  includes  account  management 
—  the  ability  to  create,  delete  and  modify  user  accounts  — 
across  multiple  repositories,  password  synchronization 
across  several  repositories  and  user  account  self-service.  At 
this  juncture,  IDSentrie  does  not  provide  much  in  the  way 
of  more-advanced  provisioning  features,  for  example,  a 
workflow  system  that  helps  manage  approvals,  or  fully  auto¬ 
mated  end-to-end  provisioning  processes. 

IDSentrie’s  strength  lies  in  its  ability  to  define  aggregate 
business  roles, such  as  sales  manager  or  HR  consultant, and 
provision  system  accounts  to  multiple  target  repositories 
based  on  role  assignments.  Another  area  where  A10  stands 
out  is  in  its  IP-to-ID  technology  which  quickly  lets  an  admin¬ 
istrator  map  IP  addresses  to  the  users  owning  those  ad¬ 
dresses  at  any  point  in  time.This  is  not  a  standard  feature  of 
provisioning  systems  overall,  and  many  administrators 
spend  hours  researching  and  mapping  IP  addresses  when 
the  information  is  required. 

We  configured  the  IDSentrie  1000  appliance  for  the  test 
network  and  started  provisioning  for  our  specific  configu¬ 
rations  in  less  than  30  minutes. 

Management  is  accomplished  through  a  Web-based  con¬ 
sole.  We  were  pleased  to  have  the  option  to  redirect  all 
HTTP  traffic  to  Secure-HTTP  for  more  secure  access  to  the 
management  process. 

Once  we  completed  the  basic  set  up  and  created  several 
system  administrator  accounts,  we  configured  the  device 
to  work  with  our  implementation  of  Active  Directory  The 
initial  configuration  of  the  Active  Directory  Data  Source 
was  very  straightforward.  We  performed  an  import  process 
from  Active  Directory  to  populate  existing  user  accounts 
into  IDSentrie,  and  then  started  managing  Active  Directory 
accounts  from  IDSentrie  in  about  10  minutes. 

To  manage  account  provisioning,  we  set  up  what  A10 
refers  to  as  Forms  for  administrative  and  self-service  provi¬ 
sioning  tasks.  Forms  are  the  pages  viewable  by  the  admin¬ 
istrator  or  user  that  can  be  configured  in  any  number  of 
ways  based  on  the  attributes  (such  as  Active  Directory 
fields)  of  the  target  system.  Forms  are  tied  to  data  stores  and 


can  be  configured  to  require  certain  fields  from  each  user. 
They  also  let  the  user  update  certain  fields. We  defined  sev¬ 
eral  Forms  for  various  roles  in  our  testing  organization  — 
manager, system  administrator  and  HR  manager.  Each  Form 
contained  different  required  attributes  and  could  be  up¬ 
dated  by  users  assigned  to  the  role.  Our  test  results  were 
exactly  what  was  expected. 

For  the  self-service  pages,  we  set  up  a  Form  where  users 
could  change  their  password  based  on  a  set  of  challenge 
questions,  which  are  configured  by  users  the  first  time  they 
access  the  portal.  We  then  logged  into  the  system  as  a  self- 
service  user  to  go  through  the  initial  process,  and  every¬ 
thing  worked  smoothly 

The  access  control  enabled  by  the  IDSentrie  system  is 
fairly  detailed,  letting  administrators  provide  read, 
read/write  or  no  access  rights  to  the  product’s  different 
modules.  For  example,  one  administrator  could  work  only 
on  user-account  provisioning,  while  a  second  administrator 
could  be  limited  to  system-administration  tasks, such  as  set¬ 
ting  up  high  availability  synchronization  or  shutting  down 
or  upgrading  the  system.  While  adequate  for  the  current 
focus  of  the  product,  access  control  could  be  improved  by 
its  having  an  greater  level  of  detail  that  would  let  adminis¬ 
tration  roles  and/or  repositories  be  separated.  For  example, 
one  administrator  could  handle  only  HR  roles,  and  a  sec¬ 
ond  administrator  could  support  only  sales  roles. 

We  did  encounter  a  number  of  spelling  and  grammatical 
errors  within  the  administrative  console  and  in  the  docu¬ 
mentation.  We  continue  to  be  disappointed  by  products 
that  seem  to  miss  the  mark  on  content. 

The  bottom  left  side  of  the  administrative  console  con¬ 
tains  a  countdown  to  show  how  much  time  is  left  until  the 
idle  timeout  disconnects  the  user  from  the  system.  We 
found  this  to  be  very  distracting. We  definitely  prefer  the 
standard  pop-up  warning  to  the  consistent  countdown.  We 
did  like  the  flashing  red  icon  that  prompts  the  user  to  save 
a  configuration  change. 

While  we  did  not  test  these  features,  A10  does  support  a 
separate  management  network  interface  to  keep  manage¬ 
ment  traffic  separate  from  provisioning  traffic.  This  would 
be  useful  if  users  wanted  to  separate  network  segments  or 


The  Breakdown 

Provisioning  workflow  30% 

2.5 

Scoring  Key: 

Provisioning  configuration  35% 

3.0 

5:  Exceptional. 

4:  Very  good. 

3:  Average. 

Reporting  20% 

4.0 

System  management  15% 

3.0 

2:  Below  average. 

Total  score 

3.05 

1:  Subpar  or  not  available. 

ensure  that  they  have  the  highest  availability  for  identity 
management  functions  and  synchronization  processes 
among  multiple  appliances. 

Reports  track  logon  activity  which  is  not  common  in  most 
provisioning  systems.  A10  also  offers  reports  for  basic  activ¬ 
ities, such  as  inactive  accounts,  locked  accounts  and  provi- 

sioning  activity 

As  noted  above,  the  best  reporting  tool  shipping  with 
IDSentrie  is  the  Find  by  IP  feature,  which  lets  the  user  enter 
an  IP  address  and  identify  who  was  accessing  a  system 
with  that  IP  address  during  a  given  time  period.  IDSentrie 
supports  this  feature  for  several  well-known  products  out  of 
the  box,  such  as  Check  Point,  Fortinet  and  Snort.  The  Uni¬ 
versal  Identity  Parser  is  a  free  tool  from  A10  that  lets  the 
user  take  any  text-based  log  file  containing  IP  addresses 
and  map  them  to  individuals. 

We  performed  our  testing  with  a  Fortinet  Fortigate-60  and 
Snort  logs  configured  to  log  instant  messaging  (IM)  activity 
Using  IDSentrie,  we  were  able  to  identify  quickly  which 
user  was  logged  into  the  system  and  transmitting  IM  traffic  ; 
at  the  time  the  Snort  log  event  was  generated. 

Conclusion 

IDSentrie  is  a  strong  identity-management  product  that  is 
quick  to  deploy  and  easy  to  use,  ideal  for  SMBs  that  want  to  ' 
deploy  a  tool  to  improve  provisioning  processes. The  IP-to- 
ID  reporting  tool  is  unique  and  can  easily  provide  the  justi¬ 
fication  for  purchasing  the  product  based  on  the  amount  - 

of  time  that  can  be  saved  by  automating  a  very  manual 
analysis  process. 

Andress  is  president  ofArcSec  Technologies ,  a  security  com¬ 
pany  focusing  on  product  reviews  and  analysis.  She  can  be 
reached  at  mandy@arcsec.com. 
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Buyer's  Guide  to  ID  management 

Sort  through  products  offering  pieces  of  the  ID  management  puzzle. 
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In  Their 

WORDS 

Vendor  Solutions  for  Your  IT  Challenges 

COMPANY:  The  Siemon  Company™ 

OVERVIEW:  Established  in  1903,  Siemon  specializies 
in  the  manufacture  and  innovation  of  high-performance 
network  cabling  solutions.  One  of  only  three  network 
cabling  companies  with  true  global  capabilities,  Siemon 
offers  the  most  comprehensive  suite  of  copper  (and  fiber 
cabling  systems  available.  With  over  400  active  patents 
specific  to  structured  cabling,  from  patch  cords  to  patch 
panels,  Siemon  Labs™  invests  heavily  in  R&D  and  industry 
standards,  underlining  the  company's  long-term  com¬ 
mitment  to  its  customers  and  the  industry. 

CHALLENGE:  The  recent  ratification  of  the  10GBASE-T 
standards  for  1  OGb/s  transmissions  over  copper  cabling 
has  highlighted  the  limitations  of  UTP  cabling. The  inclu¬ 
sion  of  strict  alien  crosstalk  parameters  in  the  1 0Gb/s 
standards  posed  major  issues  for  UTP  systems.  Although 
Siemon  and  other  major  cabling  manufacturers  were 
able  to  meet  the  10GBASE-T  performance  requirements 
in  a  UTP  configuration,  the  resulting  designs  relied  on 
increased  cable  diameters  and  restrictive  installation 
practices. 

SOLUTION:  These  UTP  limitations  raised  the  profile 
of  screened  1 0Gb/s  solutions,  including  Siemon's 
1 0G  6A™  F/UTP.  By  virtue  of  their  screen,  these  solutions 
defeat  alien  crosstalk  without  major  design  or  installation 
changes. This  fact,  coupled  with  recent  innovations 
designed  to  significantly  simplify  the  installation  of 
screened  cabling,  has  caused  many  users  to  consider 
1  OGb/s  screened  cabling. 

As  an  indication  of  screened  cabling's  growing  profile, 
Siemon  has  noticed  a  strong  upward  trend  in  the 
adoption  of  10  Gb/s  screened  (F/UTP)  copper  cabling 
systems,  particularly  in  markets  where  UTP  has  tradition¬ 
ally  been  the  most  popular  option.  In  fact,  growth  of 
1  OGb/s  F/UTP  has  outpaced  UTP  solutions. The  rising 
end  user  acceptance  of  screened  solutions  is  further 
evidenced  by  recent  cabling  industry  response.  Manu¬ 
facturers  known  primarily  as  UTP-focused  have  begun 
to  enter  the  screened  market  with  their  own  versions. 

More  information  on  the  growth  of  screened  cabling  as 
well  as  Siemon's  1 0G  6A  F/UTP  line  is  available  online  at 

www.siemon.com 


800-945-4200 

www.siemon.com 
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Managing  .PST  files  effectively 


BY  MICHAEL  OSTERMAN 

Microsoft  Exchange  is  the  most  widely  used  corporate 
messaging  system  in  North  America,  meaning  that  most 
organizations  have  some  level  of  concern  about  how  they 
manage  .PST  files. These  files  can  be  everywhere  in  a  cor¬ 
porate  network,  distributed  on  file  servers,  local  desktop 
hard  drives  and  laptops.  Users  create  these  files  to  archive 
their  old  content  or  to  offload  e-mails  and  attachments 
when  they  reach  their  mailbox  quota  limit,  or  when  they 
access  corporate  e-mail  from  a  mobile  device. 

Our  own  research  has  found  that  most  organizations  can¬ 
not  access  the  content  in  locally  stored  .PST  files. This  be¬ 
comes  a  major  issue  when  companies  must  access  this 
content,  such  as  when  presented  with  a  discovery  order  to 
search  across  all  e-mail  stores,  including  those  on  local 
.PST  files.  In  such  a  scenario,  an  IT  organization  can  spend 
an  enormous  amount  of  time  and  energy  finding  all  of 
these  distributed  .PST  files,  extracting  data  from  them,  in¬ 
dexing  it  and  searching  for  the  required  content.The  prob¬ 


lem  will  become  more  serious  when  unified  communica¬ 
tions  systems  store  even  more  content. 

One  solution  is  to  use  a  product  such  as  Sherpa  Soft¬ 
ware’s  MailAttender  for  Exchange.  MailAttender  lets  an  Ex¬ 
change  administrator  proactively  monitor  and  examine 
content  stored  in  .PST  files,  even  allowing  monitoring  of 
remote  .PST  files  through  the  use  of  a  plug-in.  For  example, 
MailAttender  allows  an  administrator  to  determine  how 
many  instances  of  a  particular  attachment  exist  in  all  of  the 
.PST  files  scattered  around  an  organization, the  size  of  each 
.PST  file, specific  content  stored  in  each  file  and  so  forth. 

The  advantage  of  using  a  product  like  this  is  that  it  allows 
Exchange  administrators  to  be  proactive  about  how  .PST 
files  are  managed,  it  allows  them  to  respond  quickly  to  re¬ 
quests  to  extract  needed  content,  and  it  permits  overall  bet¬ 
ter  management  of  an  Exchange  environment. 

Osterman  is  principal  of  Osterman  Research.  He  can  be 
reached  at  michael@ostermanresearch.com. 
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Application  management 
appliances  are  worth  a  look 


BY  JULIE  CRAIG 

When  a  network  manager  needs  a  new  router,  he  goes  to 
Cisco,  buys  a  box  and  plugs  it  in.  It  may  not  actually  be 
quite  that  easy  but  most  of  the  work  involved  in  installing 
new  network  equipment  is  in  design  and  configuration. 

However,  when  an  enterprise  management  engineer 
needs  new  application  management  products,  his  first  im¬ 
pulse  is  to  turn  to  software.  Deploying  software  designed  to 
manage  applications  can  require  almost  as  much  effort  as 
deploying  your  typical  ERP  system  —  months  or  years. 

Application  management  appliances  are  often  perceived 
as  pricey  alternatives  designed  to  gain  control  of  an  infra¬ 
structure  gone  awry  Companies  ante  up  the  cash  neces¬ 
sary  to  buy  appliances  that  give  them  deep  perspective  to 
execution  environments.  Drivers  for  such  purchases  range 
from  recurring  problems  that  defy  diagnosis  to  composite 
transactions  experiencing  perennial  performance  issues. 

Business  applications  are  becoming  so  complex  that 
even  large  enterprises  are  falling  short  in  terms  of  their  abil¬ 
ity  to  manage  them.  Recent  EMA  research  shows  that  the 
percentage  of  IT  problems  actually  solved  in  many  large 
companies  is  between  zero  and  10%.  The  traditional  “war 
room”  team  approach  to  problem  determination  is  becom¬ 
ing  far  too  expensive.  Instead,  compa¬ 
nies  tend  to  add  horsepower,  develop 
workarounds  for  recurring  problems  or 
turn  to  the  reboot  as  the  management 
product  of  choice. 

Today’s  application  management 
appliances  are  poised  to  address  these 
challenges.  Their  ability  to  deliver  appli¬ 
cation  intelligence  via  visibility  to  exe¬ 
cution  environments  will  contribute  to 
market  share  gains  as  application  archi¬ 


tectures  continue  to  become  increasingly  complex. 
Compuware,  Coradiant  and  Wily  appliances,  designed  to 
analyze  messages  embedded  in  HTTP  traffic,  have  been  in 
the  marketplace  for  some  time.  Products  that  analyze  lower 
level  network  traffic,  such  as  EMC  (Smarts)  and  more 
recent  application  management  offerings  from  Network 
General  and  Network  Physics,  approach  the  same  problem 
from  a  different  angle. 

Forum  Systems,  Layer  7,  Reactivity  and  IBM  DataFbwer  are 
all  designed  to  analyze,  parse  and  transform  XML  mes¬ 
sages.  While  these  products  focus  primarily  on  XML  accel¬ 
eration  and  security  their  technology  also  positions  them 
to  extend  their  reach  to  application  management. 

Collectively  appliance-based  products  have  some  advan¬ 
tages  over  software-based  solutions.  First,  their  visibility  to 
execution  environments  can  streamline  the  problem  reso¬ 
lution  process,  enabling  them  to  pinpoint  trouble  spots  in 
near  real  time. They  have  the  advantage  of  quick  and  sim¬ 
ple  deployment  compared  with  agent-based  approaches. 
Finally  the  fact  that  they  are  appliance-based  gives  them 
tremendous  processing  power.  One  vendor  reportedly 
tested  its  product  on  non-specialized  hardware  and  found 
that  certain  common  chips  actually  burst  into  flames. 

Over  time,  application  management 
appliances  will  become  increasingly 
common  in  the  data  center.  As  this  market 
matures,  these  vendors  will  be  worth 
watching,  as  they  are  well  positioned  to 
provide  innovative  solutions  for  complex 
application  problems. 

Craig,  a  senior  analyst  with  Enterprise 
Management  Associates,  can  be  reached  at 
jcraig@enterprisemanagement.  com 


nww.com 

In  your  in-box 

Sign  up  for  this  or  any  of  Network 
World's  many  other  e-mail  newsletters. 

www.nwdocfinder.com/1002 


ADVERTISEMENT 


Tip  #17  By  Netcordia 

Best  Practices  Tech  Tips,  brought  to  you  by  Netcordia. 


Network  Analysis  Tip  #17  -  Redundant  Routing  Peer  Not  Found 


Why  is  this  important? 

How  do  you  know  that  the  routing  redundancy 
(HSRP  or  VRRP)  that  you’ve  designed  into  your 
network  is  continuing  to  operate  correctly? 

Many  of  today’s  networks  require  a  high  level 
of  availability,  particularly  for  business-critical 
applications  and  for  VoIP.  Routing  redundancy, 
provided  by  Cisco’s  Hot  Standby  Routing  Protocol 
or  vendor-independent  Virtual  Router  Redundancy 
Protocol,  eliminates  a  single  point  of  failure  in 
the  routing  infrastructure.  We’ve  frequently  seen 
outages  in  redundant  network  designs  because 
the  first  failure  was  not  detected  and  corrected 
prior  to  a  second  failure.  Relying  on  Syslog  or 
SNMP  Traps  is  insufficient  because  both  of  these 
protocols  use  UDP,  which  may  be  dropped  during 
routing  convergence  or  network  congestion. 

Daily  verification  of  routing  redundancy  avoids 
ugly  surprises. 

Manual  determination: 

Manual  verification  of  routing  redundancy  depends 
on  the  vendor  and  protocol.  Cisco’s  HSRP  can 
be  checked  using  the  command  show  standby, 
looking  for  the  line  that  shows  the  backup  router: 
Standby  router  is  10.20.0.22  expires  in  0:00:07. 
Also  check  the  number  of  state  changes  and  the 
time  since  the  last  state  change  to  validate  the 


VRRP  on  Juniper  and  Cisco  routers  can  be 
checked  with  the  command  show  vrrp. 
Unfortunately,  standby  routers  are  not  known 
to  the  primary  router  because  of  how  VRRP 
works,  so  more  effort  is  involved.  Each  router 
in  the  group  must  be  checked  to  find  the 
backup  routers 

Automatic  determination: 

Automatic  tools  that  verify  the  active  and 
backup  routers  for  each  redundancy  group 
are  imperative  for  high  availability  networks. 
VRRP  requires  that  all  routers  in  a  VRRP 
group  be  polled  to  know  that  there  is  a 
backup,  just  as  with  the  manual  process. 

Two  types  of  automatic  output  are  useful. 
The  first  is  a  list  of  all  router  redundancy 
groups,  the  routers  within  a  group,  and  the 
master/active  router  of  the  group. 

The  second  output  automatically  produces 
an  alert  about  any  group  containing  only 
one  router.  In  the  HSRP  analysis  display 
to  the  right,  ten  subnets  are  vulnerable, 
affected  by  one  router  that  is  missing  a 
peer  redundant  router.* 


HSRP/VRRP  Summary 


HSRP/VBBP  Group* 
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Virtual  IP  Address:  10.1.161.1  Uaa  Config  Timer*:  false 

Device  Nama:  tr3-c-rsm-1  Priority:  110 

Intartaoa:  Network  Monitoring  Segment  Airth:  cisco 

Group  Number:  161  Preempt:  true 

State:  6  Preempt  Delay:  0 

Active  Router:  10.1.161.2  Hello  Time:  3000 

Standby  Router:  10.1.161.3  Hold  Time:  10000 

Virtual  MAC  Addreee:  00:00  0C  07  AC  A1  Last  Change:  2005-01-09  00:1108.0 
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The  following  routers  are  not  recognizing  their  HSRP  peers  during  the  day  of  2005-01-04.  In 
such  cases,  the  router  may  not  be  receiving  HSRP  hellos  from  the  neighbor  router.  Check  the 
communications  between  the  routers  and  the  HSRP  configuration  of  the  routers  in  the  HSRP 
group. 
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Export  Details  as  CSV  Data  File 

Adds  Changes  Same  Drops  Supp 


Summary  +  30  ~  1  =3  —  0  0 

Rows  1-10  of  30 
Standard  View:  31/31 


J3i  s 

Virtual  IP 

HSRP  Group 

— — - - 

Router  IP 

Router  Name 

Unknown  Peer 

Diff 

© 

i 

r 

f . 

i 

i 

l 

\J 

10.17.2.1 

91 

10.17.8.2 

B2-dist-rsm-1 

Standby 

+ 

2  J 

10.17.8.1 

30 

10.17.8.2 

B2-dist-rsm-1 

Standby 

+ 

3  J 

10.17.48.1 

110 

10.17.8.2 

B2-dist-rsm-1 

Standby 

+ 

4  J 

10.17.80.1 

130 

10.17.8.2 

B2-<jist-rsm-1 

Standby 

+ 

5  J 

10.17.96.1 

140 

10.17.8.2 

B2-dlst-rsm-1 

Standby 

+ 

6  J 

10.17.112.1 

150 

10.17.8.2 

B2-dlst-r9m-1 

Standby 

* 

7  J 

10.17.128.1 

160 

10.17.8.2 

B2-dist-r9m-1 

Standby 

8  J 

10.17.144.1 

170 

10.17.8.2 

B2-dist-rsm-1 

Standby 

+ 

9  J 

10.17.160.1 

180 

10.17.8.2 

B2-dist-rsm-1 

Standby 

f. 

,0:-J 

10.17.176.1 

190 

10.17.8.2 

B2-dist-rsm-1 

Standby 

+ 

group’s  stability. 


Written  by  Terry  Slattery  CCIE  #1026, 
Netcordia’s  founder  and  CTO. 

Terry  co-authored  “Advanced  IP  Routing 
in  Cisco  Networks”,  has  several  software 
patents  and  a  prior  company  he  founded 
trained  over  35,000  network  engineers. 
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CAREER  DEVELOPMENT  PROJECT  MANAGEMENT  ■  BUSINESS  JUSTIFICATION 


Massachusetts  CIO  resigns  in  protest 

Louis  Gutierrez  reflects  on  a  painful  second  tour  as  heaaof  the  state’s  IT  department. 


Louis  Gutierrez  was  Massachusetts’  first  CIO  and  di¬ 
rector  of  the  state  s  Information  Technology  Division 
from  1996  to  1998.  He  moved  to  the  private  sector 
before  assuming  other  public-sector  posts  and  was  lured 
back  to  his  old  job  in  early  2006  following  the  controver¬ 
sial  departure  of  his  predecessor.  Gutierrez  resigned  in 
October  after  eight  months  to  protest  the  lack  of  state 
funding  for  IT  projects.  Recently  he  spoke  with  Amy 
Schurr,  senior  managing  editor,  features,  at  Network  World. 


Can  you  tell  me  about  your  education 
and  training? 

1  have  a  bachelor’s  degree  from  Harvard 
in  economics  and  a  business  degree  from 
MIT’s  Sloan  School  with  concentrations  in 
IT  and  finance. 

What  did  you  do  between  1998  and  2006? 

The  most  significant  in-between  effort 
was  joining  a  corporate-turnaround  team  at 
Harvard  Pilgrim  Health  Care,  in  an  attempt 
to  avert  the  bankruptcy  and  dissolution  of 
one  of  Massachusetts  three  largest  health 
insurers  —  from  1999  to  early  2002. 

What  do  you  consider  your  greatest 
career  achievements? 

Working  as  part  of  a  team  that  imple¬ 
mented  state  government’s  first  enterprise 
data  warehouse,  playing  a  part  in  the  res¬ 
cue  of  a  great  Massachusetts  health  plan; 
and  architecting,  developing  and  deploying 
the  Virtual  Gateway  to  Health  and  Human 
Services.  The  Virtual  Gateway  —  and  the 
business  process  changes  it  introduced 
between  the  state  and  every  hospital  and 
health  center  in  the  state  —  was  one  (if 
only  one)  contributor  to  a  15+%  drop  in  the 
state’s  uninsured  in  the  past  two  years. 

Did  you  seek  the  state  CIO  job,  or  were 
you  recruited? 

The  job  is  a  tremendous  one,  and  an 
honor  for  any  holder  —  but  having  been 
state  CIO  once  before,  I  was  not  looking  to 
return.  There  were  special  circumstances 
this  year  —  the  final  year  of  an  admin¬ 


istration,  truly  extraordinary  conflict 
around  IT  policy,  and  the  need  to  both 
defend  and  stabilize  the  institution  we 
had  worked  with  the  Legislature  to  statu¬ 
torily  enable  in  1995.1  received  a  call  ask¬ 
ing  that  1  consider  returning  to  ITD  fol¬ 
lowing  Peter  Quinn’s  departure. 

Quinn  resigned  amid  controversy 
regarding  the  commonwealth's  move  to 
Open  Document  Format  and  attacks 


over  his  travel  expenses.  Did  these 
events  lead  you  to  anticipate  a  rough 
road  ahead  as  CIO? 

I  would  not  have  taken  the  job  if  I  didn’t 
think  it  was  going  to  be  a  rough  year  — 
there  were  others  that  would  have  de¬ 
served  that  opportunity. 

Why  did  you  decide  to  come  back,  and 
what  had  changed  over  the  years? 

1  care  about  information  technology  in 
the  public  purpose. This  has  been  my  core 
passion  for  a  long  time.  I  knew  that  1  would 
be  walking  back  into  an  agonizing  year.  But 
if  I  could  play  some  beneficial  role  in  lead¬ 
ing  ITD  through  the  worst  of  it,  I  felt  that 


would  be  the  best  thing  I  could  do. 

The  greatest  treasure  coming  back  was 
rejoining  many  staff  I  had  worked  with  in 
the  ’90s  —  very  good  people  —  and  getting 
to  know  exceptional  new  staff  as  well.  ITD 
had  also  grown  to  about  twice  the  size  it 
was  when  I  was  there  the  first  time. 

What  are  the  key  differences  be¬ 
tween  managing  in  the  private  and 
public  sectors? 

A  state  operates  at  a  very  large  scale  — 
overall  state  IT  expenditure  is  upwards  of 
$400  million  annually  supporting  this  $25+ 
billion  conglomerate  of  Massachusetts  gov¬ 
ernment  services.  The  size  actually  has 
many  benefits,  though,  as  it  can  generally 
sustain  a  deeper  pool  of  specialists  in  vari¬ 
ous  IT  disciplines,  and  many  of  the  secre¬ 
tariat/departmental  CIOs  and  central  IT 
department  deputies,  are  tremendous  lead¬ 
ers  in  their  own  right. 

Managing  IT  infrastructure  in  govern¬ 
ment  is  a  full-contact  sport,  with  several 
teams  on  the  field  —  an  opportunity  to 
engage  many  stakeholders  to  make  sure 
that  the  direction  you’re  heading  is  sup¬ 
ported  broadly  by  the  electorate. 


Why  did  you  resign? 

My  assignment  this  year  was  really  as  a 
kind  of  relief  pitcher  in  the  final  year  of  an 
administration  —  it  was  not  sold  to  me,  and 
I  did  not  accept  it,  with  the  anticipation  of  a 
second  major  career  run  as  state  CIO.  With 
that  context  in  mind,  pulling  the  departure 
date  forward  by  60  days  in  order  to  publicly 
highlight  the  deep  exposure  faced  by  the 
statewide  run-out  in  project  funds  may 
appear  somewhat  more  understandable. 
Regardless,  these  were  among  the  longest 
eight  months  of  my  dog-life. 

Describe  the  state's  IT  funding  situation. 

On  an  operating  basis,  things  are  OK  — 


pretty  solid  for  the  moment.  But  imagine  a 
$25  billion  enterprise  that  has  run  dry  of 
IT  project  funding.  First,  there  are  a  limit¬ 
less  number  of  things  that  governments 
should  be  doing  to  streamline  services, 
and  how  they  work  with  citizens  and  busi¬ 
nesses.  There  are  real  economic  losses 
from  unrealized  improvements.  Second,  it 
takes  very  little  time  for  capacity  con¬ 
sumption  and  real  depreciation  to  get 
ahead  of  the  investment  curve.  Third, 
when  you  get  out  of  the  practice  of  sound 
IT  project  and  investment  management,  IT 
governance  itself  starts  to  decay. 

What  were  the  most  important  pro¬ 
jects  and  initiatives  that  you  struggled 
to  get  funded? 

A  replacement  to  the  state’s  tax  systems 
(MASSTAX2),  the  states  backup  data  cen¬ 
ter,  an  integrated  criminal  justice  system  ini¬ 
tiative  . . .  and  40  other  continuing  or  newly 
accepted  IT  investment  initiatives. 

What  were  the  biggest  challenges  you 
faced,  and  how  did  you  try  to  maintain 
morale  in  the  department? 

The  biggest  challenges  were  a  piece  of  leg¬ 
islation  that  threatened  to  strip  ITD  of  its 
authorities,  inaction  on  the  funding  bill, and 
intense  stakeholder  engagement  and 
media  coverage  of  the  Open  Document  pol¬ 
icy  direction.We  tried  to  maintain  morale  by 
reminding  ourselves  that  what  we  do  mat¬ 
ters  and  that  it’s  more  important  to  do  what 
state  government  staff  do  quietly  and  effec¬ 
tively  every  day  than  to  lose  focus. 

What  advice  would  you  give  to  anyone  who 
wants  to  go  into  IT  in  the  public  sector? 

One  should  never  underestimate  the 
costs,  the  most  corrosive  of  which  is  a 
pervasive  social  message  that  “govern¬ 
ment  is  the  problem,  as  are  the  bureau¬ 
crats  who  run  it.”  But  if  you  are  willing  to 
make  a  few  sacrifices,  there  is  nothing  I 
know  that  yields  quite  the  same  charge 
as  tackling  a  big  problem,  trying  to  make 
things  better  for  our  own  communities, 
and  make  a  difference. 

What  is  next  for  you? 

1  need  time  to  reflect  and  recharge,  then  I 
am  rejoining  good  friends  and  former  col¬ 
leagues  at  IT  consultancy  Exeter  Group.  ■ 


‘These  were  among  the  longest  eight 
months  of  my  dog-life.” 

Louis  Gutierrez, 

former  CIO  for  the  Commonwealth  of  Massachusetts 


By  2010,  the  increase  in  expense  to  power  and  cool  servers  is  projected  to  be  approximately  four  times  the 
increase  in  new  server  spending.1  The  IBM  System  x3655  Express  can  help  control  rising  energy  costs  starting 
today.  How?  It  comes  with  an  ingenious  technology  called  PowerExecutiver  which  allows  you  to  allocate 
power  to  each  server,  helping  to  optimize  and  save  you  money.2  Only  IBM  has  it.  The  x3655  is  just  one  of 
many  Express  systems  designed  for  business  performance  computing.  With  IBM,  innovation  comes  standard. 
So  why  waste  energy  on  anything  else? 

AUTOMATICALLY  PUTS 
YOUR  BUSINESS  INTO 
ENERGY-SAVING  MODE. 


IBM  System  x3655  Express 

Mission-critical  availability  and  performance  in  an  affordable  package. 


Monitor  power  consumption  and  allocate  power  where  needed  with  PowerExecutive 
64GB  maximum  low-power  DDR2  memory 


Choose  flexibility  and  robust  I/O  configuration  with  IBM  extended  I/O 

Featuring  the  Next-Generation  AMD  Opteron™  processor  with  AMD  PowerNow!™  technology 


Limited  warranty:  3  years  on-site3 


From 


$2,359 


or  $61/month4 


AMDH 


Opteron 


■All  prices  are  IBM  s  estimated  retail  selling  prices  as  ol  October  3. 2006.  Prices  may  vary  according  to  configuration.  Resellers  sel  their  own  prices,  so  reseller  prices  to  end 
users  may  vary  Products  are  subject  to  availability'.  This  document  vras  developed  for  offerings  in  the  United  Slates.  IBM  may  not  oiler  the  producis,  features  or  services 
discussed  in  this  document  in  other  countries.  Prices  subject  to  change  without  notice  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features 
Contact  your  IBM  representative  or  IBM  Business  Partner  for  the  most  current  pricing  in  your  geography.  1.  Based  on  "IOC,  The  Impact  of  Power  and  Cooling  on  Data 
Center  infrastructure,'  Document  #201722,  May  20067  page  six,  which  highlights  that  a  rapidly  rising  server-installed  base  is  projected  to  drive  an  increase  in  the  cost  of 
power  and  cooling  over  the  next  five  years.  2.  PowerExecutive  can  help  save  power  during  periods  ol  lower  utilization.  3.  IBM  hardware  products  are  manufactured  from 
new  parts,  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  Telephone  support  may  be  subject  to  additional  charges.  For  on-site  labor.  IBM  will 
attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician.  On-site  warranty is  available  only  for  selected  components  4.  IBM  Global  Financing 
offerings  are  provided  through  IBM  Credit  LIC  in  the  United  Slates  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers. 
Monthly  payments  provided  are  tor  planning  purposes  only  and  may  vary  hased  on  your  credit  and  other  factors.  Lease  otter  provided  is  based  on  a  FMV  lease  ol  36  monthly 
payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice  Information  about  non-IBM  products  is  obtained 
from  the  manuiacturers  ot  those  products  or  then  published  announcements.  IBM  has  not  tested  Ihose  products  and  cannot  confirm  the  performance,  compatibility  ot  any 
other  claims  related  to  non- IBM  products  Questions  on  the  capabilities  of  non-IBM  products  should  be  addressed  to  the  suppliers  ol  those  products.  I8M.  the  IBM  logo 
and  PowerExecutive  are  trademarks  or  registered  trademarks  ot  International  Business  Machines  Corporation  In  the  United  States  and/or  other  countries.  AMD,  the  AMD 
logo.  AMO  Opteron  ano  AMD  PowerNow!  are  trademarks  ot  Advancer!  Micro  Devices.  Inc.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks 
ot  others.  ©2006  iBM  Corporation  All  rights  reserved 


WHY  WAIT? 

PAY  $0  FOR  THE  NEXT  3  MONTHS. 

Get  the  System  x3655  Express 
now  and  defer  payment  for  the 
next  3  months. 

Learn  more  at: 


ibm.com/ 

systems/innovate60 


1  866-872-3902 

mention  104CE45A 
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ROSE  US 
ROSE  EUROPE 
ROSE  ASIA 
ROSE  AUSTRALIA 


281  933  7673 
+44  (0)  1264  85057 
+65  6324  2322 
+617  3388  1540 


www.rose.com 

281  933  7673  800  333  9343 

ROSE  ELECTONICS  10707  STANCH FF  ROAD  -  HOUSTON,  TEXAS  77099 


RELAX.  YOU’RE  IN  CONTROL  NOW 

Manage  remote  offices  from  wherever  you  are. 

Secure  your  Data  Center.  No  software  licensing  fees. 


j-r&ryjggfc.  “  State  of  the  art  security 
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f  Dependable,  Powerful,  Secure,  Guaranteed 
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USB,  PS/2,  Serial  Support 
Digital  KVM  IP  Single,  Dual,  Quad  Models 
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Digital  KVM  IP 
Switches 

Switch  &  control  l,OOOs 
of  computers  &  network 
devices  over  IP 

Advanced  Security 
High  resolution 
On-screen  menu 
USB,  PS/2,  Sun,  Serial 


Multi-platform 
KVM  switches 

Switch  &  control  l,OOOs  of 
computers  and  network 
devices 

Advanced  Security 
High  resolution 
On-screen  menu 
USB,  PS/2,  Sun,  Serial 


KVM  Extenders 

Extends  keyboard,  video, 
and  mouse  signals  up  to 
33,000  feet 

Fiber,  CATx 
DVI,  VGA,  High  Res. 
PS/2,  USB,  Sun 
Audio,  Serial 


KVM  Rack  Drawers 


The  most  efficient  way  to 
organize  your  server  room.  \ 

1U  or  2U 

15"  17"  19"  or  20" 

VGA,  DVI 
PS/2,  USB,  or  Sun 
Touchpad  or  Trackball 


Panel  Mount  LCD 

Mounts  vertical/  m  a 
standard  19"  rack. 

15",  17"  19"  20",  or  23" 

VGA,  DVI,  S-Video 
Optional  Touchscreen 
Optional  BuSt-h  KVM  Extenders 


ELECTRONICS 


How  Do  You  Distribute 
Power  in  Your  Data 


Start  with  the  right  rack, 
and  you  can't  go  wrong. 

Get  the  seamlessly  integrated,  fully  compatible  NetShelter®  rack  system  from  APC. 


APC,  the  name  you  trust  for  power  protection,  also 
offers  a  comprehensive  line  of  non-proprietary  racks, 
rack  accessories  and  management  tools  that  ensure 
the  highest  availability  in  a  multi-vendor  environment. 
With  APC's  racks,  accessories,  and  management  tools, 
you  can  design  a  comprehensive  rack  solution  that 
meets  your  availability  needs  for  today  and  that  easily 
scales  up  for  tomorrow. 


Contact  APC  today  and  protect  your  rack  application 
with  Legendary  Reliability. 


P  s  Power  Cooling  R  Racks 


NetShelter  is  completely 
compatible  with  APC's 
award-winning  InfraStruXure® 
architecture,  allowing  you  to 
add  rack,  power  and  cooling 
on  a  scalable  as-needed  basis. 


Need  assistance?  Our  expert  Configure-to-Order 
Team  can  custom  tailor  a  complete  rack-mount 
solution  that  suits  your  specific  requirements. 


The  NetShelter®  SX  is 
vendor  neutral  and  carries 
the  "Fits  like  a  Glove” 
compatibility  guarantee. 


NetShelter®  SX  starts  at  $1150 
Rack  enclosures  with  advanced  cooling,  power  distribution,  and 
cable  management  for  server  and  networking  applications  in 
IT  environments. 

•Integrated  rear  cable  management  channels  allows  easy 
routing,  management  and  access  to  large  numbers  of  data  cables. 
•3000  lbs.  weight  capacity 

•  Vendor  neutral  mounting  for  guaranteed  compatibility 

•  Tool  less  mounting  increases  speed  of  deployment 

Rack  PDU  starts  at  $89.99 

Power  distribution  that  remotely  controls  power  to  individual 

outlets  and  monitors  the  aggregate  power  consumption. 

•Switched,  Metered,  and  Basic  models  available 
•Includes  horizontal-,  vertical-,  and  toolless-mount  varieties. 

•Puts  power  in  the  racks  near  the  equipment  where  it  is  needed  most. 

•  Wide  range  of  input  and  output  connections  from  Single-phase 
to  3-phase. 

Cable  Management  starts  at  $29.99 
Comprehensive  selection  of  accessories  designed  to  organize 
power  or  data  cables  within  a  rack  environment. 

•Eliminates  clutter  and  cable  stress. 

•Oil  of  rack  space  with  the  vertical  cable  organizer. 

•Quick-release  tabs,  toolless  mounting. 

Rack-mount  Keyboard  Monitor  starts  at  $1550 
lil  rack-mountable  integrated  keyboard,  monitor  and  mouse. 

•  15"  or  17"  ultra-thin,  LCD  monitor  with  integrated  keyboard. 

•Ease  of  installation  minimizes  support  and  maintenance  costs 
ensuring  lower  cost  of  ownership. 

•Can  be  used  in  a  variety  of  IT  environments  from  computer  rooms 
to  large  data  centers. 

Blanking  Panels  starts  at  $39.99 

Designed  to  improve  cooling  efficiency  by  preventing  air  recirculation 

within  an  enclosure. 

•  Occupies  1 U  of  rack  space. 

•  Vertical  mounting  rails  with  square  holes. 

•  Toolless  mounting. 

NetBotz®  Security  and  Environmental  starts  at  $889 
Protecting  IT  assets  from  physical  threats. 

•  Visual  monitoring  of  all  activities  in  the  data  center  or  wiring  closet 

•  Third-party  monitoring  via  dry-contacts,  SNMP,  IPMI,  0-5V  and  4-20mA 
•User-configurable  alarm  and  escalation  policies 

•  Temperature,  humidity,  and  leak  detection 


Legendary  Reliability® 


©2006  American  Power  Conversion  Corporation.  All  rights  reserved. 

NetBotz  and  NetShelter  are  registered  trademarks  of  American  Power  Conversion  Corporation.  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  AX4A6BFNAM 


j-jWtl  Console  Poll  Management  Switches  -  Mictosoll  Internet  f  xptoier 


•oroon:  wll  Oemo  Rstv,  Irvine,  CA 


western  telematic  incorporated 


Web  Browser  Interface 


Consol®  Ports  +  Power  Control  +  Dial-Up  fiodom  ■  1 U 


The  CMS-6R4  Console  Management  Switch  is  the  ultimate  tool  for  economical 
Remote  Network  Management.  Six  serial  ports  to  access  you  equipment’s  console 
ports,  Four  power  outlets  to  perform  remote  reboot  or  On/Off  control  plus  an  internal  modem 
with  dial-back  features  for  secure  out-of-band  access  -  all  in  a  space  saving  1 U  package!  System 
administrators  can  access  remote  devices  from  anywhere  via  telnet,  dial-up,  local  terminal  or  KVM  switch. 


Visit  Website  for  Complete  NetReach™  Product  Line 
(800)  854-7226  •  www.wti.com 
5  Sterling  •  Irvine  •  California  92618-2517 
(949)  586-9950  •  Fax:  (949)  583-9514 


Yes,  We  are  Customer  Friendly! 

✓  Two  Year  Warranty 

✓  We  Stock  for  Same  Day  Shipment 

✓  30  Day  Return  Policy 

✓  Call  or  Email  for  an  Online  Demo 


Web  Browser  Access  for  Easy  Setup  and  Operation 
Telnet,  Interna!  Modem  and  Serial  Access 
Four  Individually  Switched  Power  Outlets 
Six  DB-9  Serial  Console  Ports 
Port  Specific  Password  Protection 
Dial-Back  Security  on  Modem  Port 
Requires  Only  One  Rack  Unit 
Non-Connect  Port  Buffering 
Data  Rate  Conversion 
120  VAC  Model  -  NEMA  5-15  Outlets 
208/240  VAC  Model  -  IEC320  Outlets 


5  Stetiog.  Irvaae,  Ca.  92618  —  http.#www  wa.  com 


CDS  offers: 

p-o  Hardware  encryption  over  dial-up 
and  network  connections 
p-*  RSA  certified  SecurlD  authentication 
without  a  network. 

®  Patented  central  management  of  all 
remote  devices 


Full  NIST,  FIPS  140-2  certifications  e-n 

Remote  Power  control  e-n 

Homologous  world-wide  approved  *-p 
internal  modems 


CD I  has  been  building  encryption  equipment  for  over  fifteen  years.  Our  customers  and  partners  include 
major  financial  institutions,  government  agencies,  major  telcos,  utilities,  and  the  United  States  military. 


Communication  Devices  Inc. 
www.outofbandmanagement.com 


The  Truth  about  Secure-Out-Of-Band 
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A  true  Secure  Out  of  Band  Management 
solution  should  provide  strong  security  without 
reliance  upon  network-based  protocols. 
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E-mail  FreeBook@ITWatchDogs.com  with  your 
mailing  address  or  call  us  at  512-257-1462 
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AAA  East  Central  Advances  Troubleshooting  with  Observer 


Although  advanced  network 
troubleshooting  tools  are  readily 
available,  many  IT  professionals 
continue  to  take  the  old  "trial  and 
error"  approach  to  solve  problems. 
This  is  bad  for  users,  customers,  and 
the  bottom  line.  The  American 
Automobile  Association  (AAA)  East 
Central  shows  how  following  a 
proven  troubleshooting  methodology 
translates  into  cost  savings  (ana 
happier  users  and  customers). 

To  get  better  coverage  for  the  entire 
network  and  still  stay  within  budget, 
AAA  East  Central  CIO  Portia  Ulinski 
deployed  Network  Instruments' 
Observer®  Suite  along  with  60  probes 
across  the  entire  network  infrastructure. 

"We  realized  how  important 
it  was  to  monitor  all  network 
communication  at  the  time  destructive 
viruses  such  as  sobig  and  mydoom 
were  hitting  companies  around  the 
world,"  Ulinski  said.  "With  Observer, 
we  can  see  problems  as  they  emerge 
and  eliminate  them  before  they 


have  a  chance  to  affect  the  network." 

Knowing  what  device  is  causing  an 
unusual  amount  of  activity  can  be  the 
key  factor  in  resolving  a  situation. 


someone  tops  the  list.  In  one  case, 
Jennings  identified  an  end  user 
transferring  a  large  number  of  files  to  a 
server.  He  investigated  further  and 


“Observer  is  like  having  an  employee 
on  site  at  all  hours  to  manage  the 
network,  we’ve  been  very  satisfied 
with  its  capabilities.” 

Portia  Ulinski,  CIO,  AAA 


Observer's  Top  Talkers  feature  shows 
the  current  activity  for  every  device  on 
the  network  in  real  time. 

"We  consistently  use  Top  Talkers  to 
track  the  total  amount  of  stats  for  each 
office  to  see  if  there  is  any  unusual 
activity,"  said  Coleman  Jennings, 
senior  network  engineer.  "It's  a  big 
problem  when  a  device  other  than 
servers,  routers  or  anyone  in  the  IT 
department  ranks  high  on  Top  Talkers." 

There  could  be  a  number  of  reasons 


discovered  that  an  employee  was 
backing  an  entire  hard  drive  to 
that  server. 

"Through  Top  Talkers  I  was  able  to 
track  down  the  person  who  was 
transferring  all  that  data"  Jennings  said. 
"Had  I  not  stopped  that  person,  all  the 
activity  would  have  overloaded 
the  system." 

On  another  day,  an  application 
responsible  for  providing  Emergency 
Road  Service  stalled.  Without  that 


application,  services  get  delayed, 
which  can  leave  customers  stranded  at 
the  roadside  for  an  extended  period 
waiting  for  help.  Jennings  drilled  down 
with  Observer's  Connection  Dynamics 
for  a  packet-by-packet  display  of  the 
application's  communication  with 
each  client. 

"The  time  analysis  clearly  showed 
there  was  a  problem  with  the 
application,  which  I  was  able 

to  immediately  address-restoring 
full  service  to  our  customers," 
Jennings  said. 

Observer  monitors  network 

communication  around  the  clock  to 
ensure  that  AAA  East  Central 
constantly  receives  the  information 
resources  needed. 

"Observer  is  like  having  an 

employee  on  site  at  all  hours  to 

manage  the  network,"  Ulinski  said. 
"We've  been  very  satisfied  with  its 
capabilities.  So  far  Observer  has 
prevented  us  from  experiencing  any 
downtime." 


Observer  is  the  only  fully  distributed  network  analyzer  built  to  monitor  the  entire  network  (LAN,  802.1 1  a/b/g,  Gigabit,  WAN). 
Download  a  free  Observer  11  demonstration  today.  Visit  www.networkinstruments.com/analyzeto  learn  more. 

US  &  Canada  toll  free  800-526-5958  fax  952-358-3801  UK  &  Europe  +44(0)  1959  569880 
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Production  Tracking  Over  Ethernet 
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Eliminate  your  shop-floor 
PCs  with ... 

Ethernet  Terminals  from 
ComputerWise  connected  to 
your  in-house  LAN. 

Capture  production  data 
directly  into  files  on  your 
server. 


Features  &  Benefits 

•  Interactive  Telnet  Client 

•  TCP/IP  over  10/IOOBaseT  Ethernet 

•  Built-in  Barcode  Badge  Reader 

•  Optional  Mag-Stripe  &  RFID  Badge  Reader 

•  Auxiliary  RS-232  Serial  port 

•  Customizable  Data  Collection 

Program  Included  _ ^  ^ 

•  Larger  keyboard  and 
display  sizes  available 
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Call  1-800-255-3739  or  visit  www.GQmputerwise.com 


WIRELEtt  WIZARD 

COMPLETE  WI-FI  MEASUREMENT  SYSTEM 


COVERS  ALL  2.4  GHz  AND  5  GHz  Wi-Fi  BANDS  PLUS 
4.94  TO  4.99  GHz  PUBLIC  SAFETY  BAND 


DIRECTIONAL  ANTENNA  FOR  LOCATING 
INTERFERENCE  SOURCES 


OMNI-DIRECTIONAL  ANTENNAS  FOR 
MEASURING  ACCESS  POINTS 


100  TO  240  VAC  PLUS  12  VDC  OPERATION  FOR  USE 
ANYWHERE  IN  THE  WORLD 


PC  SOFTWARE  TO  DOWNLOAD  TABULAR  AND 
GRAPHICAL  DATA  PLUS  AUTOMATED  DATA  LOGGING 


ONLY  $2950  COMPLETE 


Spectrum  Analyzer 
power  at  your  fingertipr. 
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E  TO  THE  FUTURE  OF  DATA  CENTERS  :  HIGH  DENSITY  HOSTING,  INC 


FEATURING  UP  TO 


The  Typical  Data  Center  can  only  coo!  3KW  per  rack,  however  HiDHo  can 
provide  up  to  20KW  of  cooling  and  the  necessary  power  to  support  the 
Highest  Density  Rack  Mounted  equipment.  This  is  accomplished  by  using 
APC  InfrastruXure™  equipment  which  returns  all  heated  air  directly  back  to 
the  Liquid  Cooled  CRAC  units.  Keeping  up  to  20KW  per  rack  at  a  frosty 
level  is  nothing  to  sneeze  at! 


Grab  a  scarf  and  visit  our  facility.  It  is  a  quick  and  easy  experience  -  just 
call  678-498-4567  or  email  sales@hidho.com  for  a  free  consultation.  Isn't 
it  time  you  store  your  company’s  irreplaceable  data  in  the  coolest  place 

around?  Visit  HiDHo  online 
or  in  person  and  see  why 
this  is...  Just  Plain  Cool. 


678.498.4567  :  WWW.HIDHO.COM  ;  LOCATED  IN  ALPHARETTA,  GA 
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High  Density  Hosting,  Inc 


Instantly  Search  Terabytes  of  Text 


Contact  dtSearch  for 
fully-functional  evaluations 


The  Smart  Choice  for 
Text  Retrieval®  since  1991 


♦  over  two  dozen  indexed,  unindexed, 
fielded  data  and  full-text  search  options 

♦  highlights  hits  in  HTML,  XML  and  PDF, 
while  displaying  links,  formatting  and 

♦  converts  other  file  types  (database, 
word  processor,  spreadsheet,  email 
and  attachments,  ZIP,  Unicode,  etc.)  to 
HTML  for  display  with  highlighted  hits 

♦  Spider  supports  static  and  dynamic 
Web  content,  with  WYSWYG 
hit-highlighting 

♦  API  supports  .NET /.NET  2.0,  C++,  Java, 
SQL  databases.  New  .NET/.NET  2.0 
Spider  API 


♦  "Bottom  line:  dtSearch  manages  a 
terabyte  of  text  in  a  single  index  and 
returns  results  in  less  than  a  second" 

-  InfoWorld 

♦  "For  combing  through  large  amounts 
of  data,  dtSearch  "leads  the  market" 

-  Network  Computing 

♦  "Blindingly  fast"-  Computer  Forensics: 
Incident  Response  Essentials 

♦  "Covers  all  data  sources  ...  powerful 
Web-based  engines"  -  eWEEK 

♦  "Searches  at  blazing  speeds" 

-  Computer  Reseller  News  Test  Center 

♦  "The  most  powerful  document  search 
tool  on  the  market"-  Wired  Magazine 

For  hundreds  more  reviews  —  and 
developer  case  studies  —  see 
www.dtsearch.com 


dtSearch®  Reviews 


1-800-IT-FIIMDS  •  www.dtsearch.com 


Efficiently  aggregate  full-duplex  data  into 
your  analysis  or  security  device. 


•Supports  10/100/1000 

•  Stream  into  two  different  devices 

•  Rack  mount  up  to  three  across 

•  Supports  all  commercial  analysis  systems 

•  Also  works  with  open-source  tools 

Learn  more.  Visit  www.networkTAPs.com. 


Buffer  options: 

256  MB . $1,495 

512  MB . $1,995 


Choose  from  a  variety  of  configurations,  options,  and  pricing.  Plus  a 
complete  line  of  copper  and  optical  nTAPs  for  full-duplex  analyzer  systems. 
Free  overnight  delivery* 

www.networkTAPs.com  •  1-866-GET  /jTAP 


;  F@  C€  ®  H 

<i>  2006  Network  Insmimems.UC./rTAPa 
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Protect  Your  IT  Equipment...  Don't  Wait  Until  It's  Too  Late ! 


IT  Environment  Monitoring 

•  Digital  Temperature 

•  Digital  Humidity 

•  Main  /  UPS  Power 

•  Flood /Water 

•  Smoke  /Fire 

•  Cameras,  Sound,  Light,  Air  Flow,  Easy  Online  Ordering  At 

Room  Entry,  Dry  Contacts  &  More  EnvironmentMonitor.com 

AVTECH  888.220.6700  AVTECH.com 

Software  401.847.6700  EnvironmentMonitor.com 


Yellowjocket®  Hive 
Software 

Site  Initiator/Supervisor/ 
Investigator  indoor/outdoor 
mapping  W-LAN  coverage 
solution 


Berkeley  Varitronics  Systems  Metuchen,  NJ  08840 
(732)  548-3737  www.bvsystems.com 


Shown  with 
optional 
Direction 
Finder 


802.1  Ibg  W-LAN  ANALYZER 

>-  2.4  GHz  (802.11b  &  g)  SPECTRUM  ANALYSIS 

>•  Locate  hackers  and  rogue  AP’s 
>-  Pinpoint  specific  interference  sources 
>-  Install  &  secure  Wi-FI  networks 


Yellowjacket* 
Hive  screen 
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Homegrown  security  protects  Disney 


BY  JOHN  FONTANA 

The  Walt  Disney  Co.  is  locking 
down  its  applications  with  cut¬ 
ting-edge  identity-management 
innovations  developed  in-house 
that  are  helping  the  entertain¬ 
ment  giant  meet  its  security  com¬ 
pliance  and  auditing  goals. 

Previously  hamstrung  by  hard- 
to-manage,  one-off  authentication 
and  authorization  capabilities 
built  for  each  application,  the 
company  for  more  than  two  years 
has  been  using  a  homegrown  set 
of  Web  services  that  provides  cen¬ 
tralized  authorization  to  some  of 
its  network  applications. 

The  benefits  are  that  access  con¬ 
trols  can  be  dialed  down  to  se¬ 
cure  individual  applications, 
much  like  role-based  authoriza¬ 
tion,  and  can  secure  access  to 
specific  buttons,  text  boxes  and 
functions  within  those  applica¬ 
tions.  Access  includes  such  vari¬ 
ables  as  what  times,  from  what  IP 
address  and  under  what  condi¬ 
tions  a  user  can  access  an  appli¬ 
cation.  In  addition,  the  authoriza¬ 


tion  service,  known  as  Keystone, 
works  across  both  network  and 
mobile  applications. 

Just  as  important,  Keystone 
relieves  Disney  developers  from 
having  to  build  authorization 
capabilities  into  each  application 
they  develop.  Keystone  also 
makes  compliance  and  auditing 
reporting  easier  and  more  accu¬ 
rate,  because  data  can  be  ex¬ 
tracted  from  a  single  source. 

“The  opportunity  to  try  and  get 
all  our  authorization  into  a  single 
aggregated  database  presented  a 
real  value  proposition  in  reducing 
the  cost  of  compliance  and  audit¬ 
ing,”  said  Steve  Davis,  vice  presi¬ 
dent  of  IT  Disney  during  a  tele- 
briefing/Webcast  hosted  Tuesday 
by  the  Burton  Group.  Davis  was 
giving  a  progress  report  after 
detailing  Keystone  during  the 
consulting  group’s  Catalyst  user 
conference  in  June. 

“The  second  obvious  benefit 
is  being  able  to  extract  from 
every  development  project  8% 
to  12%  gains,  so  that  each  team 


developing  an  application  does 
not  have  to  reinvent  the  wheel 
on  authentication  and  autho¬ 
rization,”  he  said.  Disney  built 
Keystone  after  being  unable  to 
find  a  vendor  that  could  meet 
all  those  requirements. 

Keystone  is  made  up  of  two 
parts:  multiplatform  software 
agents  that  run  on  the  client  side 
of  the  application  and  are  made 
available  to  developers  from 
within  myriad  development  envi¬ 
ronments,  including  Java,  .Net, 
Delphi  and  COM;  and  a  central¬ 
ized  authorization  service  that 
resides  on  the  network  and 
includes  a  console  for  adminis¬ 
tering  authorization  for  all  cus¬ 
tom-developed  applications. 

Disney  is  talking  to  commercial 
software  developers  about  how  to 
build  Keystone  software  compo¬ 
nents/agents  into  packaged  appli¬ 
cations,  but  it  has  had  no  takers.  In 
fact,  the  company  is  not  even 
attempting  to  retrofit  its  own  exist¬ 
ing  custom-developed  applica¬ 
tions  to  work  with  Keystone. 


“There  is  not  a  lot  of  value 
proposition  in  retrofitting  existing 
complex  purpose-built  apps;  it  is 
too  much  work  to  put  in  Key¬ 
stone,”  Davis  said.  But  he  added 
there  is  value  in  incorporating  the 
Keystone  authentication  services, 
which  act  as  a  proxy  for  Disney’s 
directory  and  other  authentica¬ 
tion  sources,  into  those  applica¬ 
tions  so  the  company  can  achieve 
a  common  source  of  identity  to 
be  used  for  single  sign-on  and  self- 
service  registration. 

“This  is  a  long-term  play  for  us,” 
Davis  said.  “We  have  1,000  appli¬ 
cations  or  so,  and  our  [Keystone] 
penetration  rate  is  9%  to  10%  of 
our  developed  applications,  but 
we  will  see  that  growl’  He  said 
interest  in  Keystone  among  Dis¬ 
ney  developers  is  up  since  the 
June  presentation  at  the  Catalyst 
Conference  and  that  Disney  has 
integrated  another  15  to  20  appli¬ 
cations  with  Keystone  since  then 
to  bring  the  total  to  nearly  100. 

The  most  important  of  those 
additions  is  the  new  implementa¬ 
tion  of  the  central  reservation  sys¬ 
tem  at  Walt  Disney  World  in  Or¬ 
lando.  The  resort  has  60,000  of 
Disney’s  120,000  employees, 
which  makes  it  the  largest  con¬ 
centration  of  employees  at  a  sin¬ 
gle  site  of  any  company  in  the 
United  States. 

Keystone’s  foundation  is  a  set 
of  nine  Web  services  developed 
more  than  two  years  ago.  The 
most  important  of  those  ser¬ 
vices  includes  the  authentica¬ 
tion/authorization  service  and 
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the  audit  logging  and  reporting. 

Applications  communicate  via 
HTTPS  with  the  Keystone  Web  ser¬ 
vice,  which  is  backed  by  two  iden¬ 
tical  database  clusters,  one  each 
on  the  East  and  West  coasts. 

Those  clusters  have  been  tested 
to  handle  six  times  the  current 
volume  of  authorization  requests 
processed  per  year,  which  total 
between  5  million  and  10  million. 

While  the  clusters  process  au¬ 
thorizations,  which  determine 
what  a  user  can  do,  Keystone  pass¬ 
es  authentication  duties,  which 
validate  the  user’s  identity,  through 
its  gateway  to  existing  back-end 
systems,  including  Active  Direc¬ 
tory,  Sun’s  Lightweight  Directory 
Access  Protocol  and  CAs  Site- 
Minder  Web  access  management 
platform.  To  ensure  security  users 
and  the  applications  they  are 
accessing  are  authenticated. 

Keystone  executes  its  access- 
control  policies  on  the  client  and 
the  server,  Davis  said.  Once  a  user 
is  authenticated,  a  set  of  asser¬ 
tions  as  to  the  user’s  access  privi¬ 
leges  is  passed  back  to  the  client 
software  and  held  there  so  the 
client  can  validate  authorization 
to  use  certain  applications  and 
their  features.  That  design  helps 
support  mobile  users  who  are  dis¬ 
connected  from  the  network. 

A  centralized  console  provides 
a  GUI  interface  to  setting  and 
administering  policies  on  user 
access,  and  the  database  logs 
every  authentication  and  autho¬ 
rization  for  future  auditing  and 
reporting  chores.  ■ 
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100G  Ethernet 

continued  from  page  1 

With  the  approval  to  move  to  100G  Ethernet,  the 
next  step  is  to  form  a  100G  Ethernet  Task  Force  to 
study  how  to  achieve  a  standard  that  is  technical¬ 
ly  feasible  and  economically  viable,  says  John 
D’Ambrosia,  chair  of  the  IEEE  HSSG,  and  scientist 
of  components  technology  at  Force  10  Networks. 

“There  is  still  a  lot  of  work  to  be  done  to  finalize 
our  objectives,”  D’Ambrosia  says,  adding  that  a  for¬ 
mal  task  force  could  be  approved  by  July  A  com¬ 
pleted  100G  Ethernet  standard  might  appear  by 
2009  or  20 10.  “The  next  step  is  getting  the  project 
into  the  802  process,”  he  adds,  referring  to  the 
IEEE’s  umbrella  of  Working  Groups  for  networking 
standards,  which  govern  everything  from  wired 
Ethernet  and  Token  Ring  to  wireless  LANs  and 
WiMAX. 

The  challenge  for  100G  will  be  to  push  Ethernet 
to  a  megabits-per-second  speed  that  does  not  exist 
under  any  standard.  Examples  of  past  leaps  in 
Ethernet  speeds,  which  followed  the  lead  of  other 
technologies  include:  Fast  Ethernet,  followed  the 
100Mbps  FDD1  standard;  and  10G  Ethernet,  which 
used  the  9.9Gbps  OC-192  SONET  as  its  base.  In 
each  case,  resulting  Ethernet  standard  borrowed 
components  and  encoding  techniques  used  in  the 
existing  non-Ethernet  standards. 

While  a  comparable  100Mbps  standard  does  not 
exist  for  Ethernet  to  emulate,  D’Ambrosia  expects 
this  will  not  be  too  great  a  challenge  for  work  on 
100G.A  100G  standard  will  probably  use  parallel 
data  transmission  —  multiple  lOGbps-plus  signals 
traveling  over  multiple  fibers  or  lanes,  D’Ambrosia 


says.  “There  has  been  a  lot  of  maturing  in  10G 
technology”  around  bonding  together  multiple 
links,  D’Ambrosia  says.  “Everyone  [in  the  HSSG] 
has  a  high  comfort  level  that  we  can  leverage 
existing  technology”  to  achieve  a  100G  standard. 

A  recent  multivendor  demonstration  showed 
one  possible  implementation  of  this  kind  of  paral¬ 
lel  100G  Ethernet.  The  test  involved  a  prestandard 
100G  Ethernet  protocol  stack,  which  bonded 
together  10  lOGbps  links  and  transmits  them  over 
separate  optical  wavelengths. 

Compared  with  the  current  standard  for  link 
aggregation,  the  100G  demo  was  “similar  but  dif¬ 
ferent,”  says  Serge  Melle,  vice  president  of  techni¬ 
cal  marketing  for  Infinera. 

“Link-aggregation  groups  allow  you  to  group 
multiple  10G  channels  together,  but  this  has  limi¬ 
tations  on  scaling,”  because  a  total  of  eight  links 
can  be  bonded,  Melle  says.  “What  we  demon¬ 
strated  is  truly  a  100G  at  the  [media  access  con¬ 
trol]  layer.” 

The  demonstration  was  conducted  using  a 
Xylinx  field-programmable  gate  array  (a  program¬ 
mable  chip),  which  acted  as  the  physical  100G 
Ethernet  MAC  layer.  Traffic  from  this  layer  was 
transmitted  to  Finisar  short-reach  optical  trans¬ 
ceivers,  which  split  the  signals  into  10  separate 
lOGbps  dense  wavelength  division  multiplexing 
wavelengths,  sent  over  Infinera  DWDM  gear.  At  the 
other  end  of  the  link,  the  10  separate  wavelengths 
were  reassembled  so  that  that  transmission 
appeared  as  one  logical  data  flow.  Level  3’s  optical 
network  was  used  in  the  demonstration,  which 
transmitted  lOOGbps  between  Houston  and 
Tampa,  Fla.  ■ 


Powerful,  enterprise-class  protection 
No  per  user  or  per  server  license  fees 
Virtually  maintenance-free 


SPAM  FIREWALLS  AND  WEB  FILTERS 


AyJ « V 


Editor’s 

Choice 


d  trademark': 


Aggressive  reseller  program  available.  Get  more  info  by  con 

www.barracuda.com/nww  or  1 -888-ANTI-SPAM  ,^’M 

,  .  ■  ■■ .  -  viSlGS'SwB 


AFFORDABLE 


POWERFUL 


54  •  www.networkworld.com  •  12.11.06 


BACKSPIN 


Mark  Gibbs 


Supporting  the  Big  Man 


Jo,  Big  Man!  How’s  it 
hangin?  Have  I  been 
good  this  year?  Yes,  I’ve 
been  very  good  this  year.  I 
swear,  just  check  your  list. 

You’ve  forgotten  how?  OK,  I’ll  walk  you  through  it  — 
again.  First,  click  on  Start,  then  Programs,  then  Naughty- 
Nice.  Now  click  on  XmasList. 

1  know  it’s  been  a  year  but  it  isn’t  that  hard  to  figure  out! 
Yeah, yeah, I  know,  at  your  age  ...whatever. 

So,  did  it  start?  What,  it  won’t  start?  Windows  can’t 
find  it!  OK,  open  Internet  Explorer  —  you  know,  Start, 
then  Programs,  then  . . .  oh,  you’re  there.  Go  to  drive  C, 
then  Program  Files  and  then  NN.  Good.  What?  There’s 
nothing  in  there!  Sheesh. 

OK,  no  problem,  we'll  just  reinstall  it. 

Ah,  you  didn’t  keep  a  copy  of  the  application  installer? 
Oh, your  drive  crashed.  And  no  backup?  How  surprising! 

Fine.  How  many  times  have  I  told  you  that  you  must 
do  backups?  Ah,  you  did  back  up  the  data  file  onto  the 
server  —  which  one?  NorthPole34695?  Good.  At  least  we 
don’t  have  to  get  several  hundred  elves  doing  data  entry 
all  night  like  we  did  last  year.  Boy  did  you  have  to  cover 
some  serious  overtime. 

So  let’s  download  a  new  copy. You’ve  forgotten  the 


download  URL?  Well,  go  to  the  Web  site  and  log  in. 
You’ve  forgotten  the  Web  site?  OK,  fire  up  your  browser 
...  oh  great,  you’re  using  Firefox  and  the  site  only  works 
with  Internet  Explorer.  Sigh. 

All  right,  go  to  Start,  click  on  Run  and  enter  “iexplore”. 
Good  —  OK,  now  we’re  back  in  business.  Let’s  search  for 
XmasList.There  you  are,  click  on  the  link  and  now  log  in. 

You  don’t  remember  your  account  name?  Let’s  see  . . . 
let’s  try  sclause.  Password?  Try  blitzen  —  no,  all  lower  case. 
Yep,  it’s  a  miracle,  no  doubt  about  it.  Of  course  that  is  the 
same  account  name  and  password  you  always  use. 

We’re  in!  And  what?  Your  maintenance  contract  expired? 
Well,  if  you  want  the  upgrade, you’ll  just  have  to  flex  that 
plastic  of  yours.  Mine?  Sorry  but  it’s  Christmas,  remember? 
Don’t  have  much  headroom  left  on  my  card  either.  Well 
sure,  if  you  can  stop  by  my  house  on  Christmas  Eve  and 
drop  off  some  jewelry  for  my  wife?  No?  Thought  not.  So 
I’m  going  to  need  my  card,  aren’t  I? 

OK,  so  you’ve  renewed  and  downloaded.  Great  —  now 
run  it.  Well,  where  did  you  put  it?  So  run  Explorer  and  find 
it.  Come  on,  Santa,  we’ve  been  doing  this  for  how  many 
years?  Yeah,  well  as  much  as  I  enjoy  growing  old  together 
I’ve  got  a  whole  queue  of  support  calls  on  hold. 

Yes,  1  know  you’re  the  boss  but  you  are  just  a  cog  in  the 
machine  like  me  and  you  pay  me  to  keep  this  IT  stuff  run¬ 


ning  so  we  stay  in  business.  Oh  come  on,  you  always 
threaten  to  fire  me  and  you  never  do. You  know  no  one 
else  would  do  support  for  this  outfit  for  the  pathetic 
wages  you  pay  Yeah,  I  know  there’s  a  first  time  for  every¬ 
thing,  but  this  ain’t  it  so  let’s  move  on. 

Right, you’ve  found  it  and  ...  good,  you’ve  reinstalled  it. 
Now  run  it  up.  Good.  Import  your  data  file.Yes,  it  is  in  your 
subdirectory  on  NorthPole34695,Yes,your  account  name 
is  sclause  and  your  password  is  blitzen.Yes,b-l-i-t-z-e-n.Yes, 
all  lowercase  (sigh).  No,  1  was  just  clearing  my  throat. 

OK,  now  index  the  list.  Yes,  it  is  slow  and  I  told  you  to 
buy  a  better  machine  but,  oh  no,  you  wouldn’t.“Too 
expensive”  you  said  and  then  you  went  out  and  bought 
a  Wii  for  heaven’s  sake!  How  old  are  you? 

All  right,  the  indexing  has  finished.  Now  enter  your 
query  That’s  right,  my  last  name  in  the  last  name  field,  my 
first  name  in  the  first  name  field,  and  my  Social  Security 
number  in  the  field  labeled  SSN. 

It  worked?  Well,  miracles  of  miracles.  Score  another  one 
for  the  good  guys.  So  have  1  been  good?  It’s  coal  again? 
Yeah,  big  surprise.That’s  life  in  tech  support. 

OK,  have  a  good  run,  Big  Man. Yeah.  Merry  Christmas  to 
you  too.  And  say  “hi  “  to  the  missus. 

Sleigh  bells  to  backspin@gibbs.com. 


News,  insights  and  oddities 

Holiday  Wi-Fi  warning  as  obvious  as  Santa’s  beard 


For  the  love  of  Saint  Nicholas,  do  not  let  anyone  hang 
holiday  decorations  willy-nilly  about  the  workplace  lest 
you  render  the  office  Wi-Fi  net  as  discombobulated  as 
Santa’s  sleigh  without  Rudolph. 

That’s  the  gist  of  a  warning  from  wireless  LAN  monitoring  vendor  AirMagnet,  which 
last  week  “announced  the  results  of  a  recently  conducted  survey  measuring  wireless 
signal  strength  in  a  standard  office  setting  both  before  and  after  introducing  a  change 
in  the  office  environment  —  holiday  decorations." 

Bah  humbug,  says  my  go-to  guy  on  such  matters,  but  we’ll  get  to  his  complaint  about 
"the  stupidest  press  release  I  have  ever  received”  in  just  a  moment. 

First,  AirMagnet  has  data  to  share  in  its  “media  alert,"  as  the  company’s  tests 
“showed  the  decorations  had  a  significant  impact  on  the  Wi-Fi  network,  with:  sig¬ 
nal  strength  decreased  by  25%;  signal  deterioration  increased  over  distance  by 
one-third;  and,  signal  distribution  uneven  in  some  locations,  deteriorating  signal 
strength  by  an  additional  10%.” 

Maybe  they  didn't  hang  the  tinsel  strand  by  strand.  I’ve  always  been  a  strand- 
by-strand  guy  myself. 

But  the  details  are  really  beside  the  point,  says  Joel  Snyder,  a  senior  partner  at  Opus 
One  inTucson,  Ariz.,  and  a  member  of  the  Network  World  Lab  Alliance. 

“Holiday  decorations,  like  any  change  in  the  environment,  can  make  wireless  better 
or  they  can  make  it  worse,”  Snyder  says.  “To  try  and  instill  fear  into  people,  sug¬ 
gesting  that  they  should  be  afraid  to  put  up  holiday  decorations,  is  ridiculous. 
Worrying  about  such  degradation  (which,  by  the  way,  could  be  an  improvement  as 
well)  is  silly,  and  it’s  temporary,  and  it's  slight.” 

To  be  fair,  the  AirMagnet  press  release  does  include  the  phrase  “as  with  any  change 
introduced  to  a  wireless  environment,"  but  that  caveat  gets  rather  lost  under  an  omi¬ 
nous  headline  that  reads:  "Holiday  Decorations  Can  Create  Major  Wi-Fi  Disturbances.” 

Mere  from  Snyder:  “The  point  here  is  that  any  change  in  the  environment,  from 
moving  people  around  (they  are,  after  all,  large  bags  of  water)  to  file  cabinets  to  . . . 
well,  to  anything,  will  change  the  Wi-Fi  behavior.  We  all  know  that;  that's  why  we  all 


instinctively  move  to  a  window  when  we  make  a  cell  call  and  the  signal  is  bad. 

“Hell,  if  you’re  going  to  say  decorations  are  a  problem,  you  might  as  well  point  out 
that  parking  cars  in  parking  lots  will  change  your  wireless,  since  a  lot  of  our  wireless 
goes  out  one  window,  bounces  off  the  environment  and  comes  in  another  window. 
Maybe  we  should  be  requiring  people  with  SU  Vs  to  park  closer  to  the  building  because 
that  will  improve  our  wireless  experience.” 

Hey,  Santa,  would  you  mind  moving  that  rust-bucket?  It's  doing  nothing  for  our  signal. 

Can't  registrars  just  say  ‘no’  to  blatant  phishers? 

F-Secure’s  chief  research  officer  Mikko  Hypponen  asks  an  interesting  question:  Why 
can’t  domain  name  registrars  simply  refuse  to  accept  the  business  of  individuals  who 
are  trying  to  register  names  that  would  only  be  used  for  phishing? 

"I  know  you  are  in  the  business  of  registering  domain  names  for  people  who  need 
them,”  Hypponen  writes  in  an  open  letter  to  registrars.  “However,  are  you  sure  you 
want  to  let  people  register  any  domain  name?  Even  when  the  name  is  obviously 
going  to  be  used  for  phishing?” 

He  provides  a  glaring  example:  A  “Craig  Smith"  registering  the  name  "signin-ebay- 
c.com"  with  directNIC  and  then  launching  a  phishing  site  that  directs  the  personal 
information  collected  from  unsuspecting  users  to  an  unsecured  e-mail  address. 

“Wouldn’t  it  make  sense  for  a  registrar  to  filter  such  obvious  registrations  and  have  a 
real  person  review  and  approve  them  before  they  go  through?”  Hypponen  asks. 

We  had  a  few  folks  batting  around  these  questions  on  Buzzblog  last  week,  starting 
with  the  original  post  at  www.nwdocfinder.com/6451. 

The  head  of  the  Anti-Phishing  Working  Group,  Dave  Jevans,  says  ICANN  policies 
are  responsible  for  enabling  much  of  the  abuse  Hypponen  wants  addressed,  and  hence 
the  issue  is  "complex.”  His  full  reply  can  be  read  at  www.nwdocfinder.com/6542. 

Finally,  directNIC  boss  Sigmond  Solares  doth  protest  that  his  company  doesn’t 
deserve  to  be  painted  as  the  bad  guy  here  at  www.nwdocfinder.com/6543. 

Want  to  chime  in  yourself?  The  address  is  buzz@nww.com 
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